Nginx/Apache error: 0906D066:PEM routines:PEM_read_bio:bad end line

Nginx

As we know from the guide, certificate installation on Nginx web server requires a domain certificate file to be combined with intermediate CA certificates into one file.

The Certificate Authority sends these files to the administrative contact email specified during certificate activation. Also, they can be downloaded in your Namecheap account by following these actions. Besides, all CA certificates are located here.

Sometimes, during initial SSL certificate installation or its renewal, the concatenation command corrupts certificate codes and reloading Nginx’s configuration files results in this error:

nerror1

If we open a file with concatenated certificate codes, we can see that closing tag -----END CERTIFICATE----- of one certificate and opening tag -----BEGIN CERTIFICATE----- of another one are joined in one line:

nerror2

The issue fix is quite simple: use a text editor of your choice (for example, Nano or vim on Linux-based operating systems, Notepad on Windows, Textedit on Mac OS X) and create a line break between the two certificate codes, so that -----BEGIN CERTIFICATE----- tag starts with the next line:

nerror3

Make sure that you count five dashes at the start and end of a footer and a header. Save the file and exit the text editor.

The Nginx configuration file can be reloaded with one of the following commands:

nginx -s reload

or

service nginx reload

The server should serve HTTPS from now on without any issues.

Apache

The same issue can occur on Apache webserver. Starting from Apache 2.4.8, it accepts a domain certificate and intermediate certificates combined into a single file; however, there are some peculiarities.

Apache does not show the error output during reload; thus, it's not possible to identify this issue right away like with the Nginx case. In this case, Apache won’t reload the configuration properly, and the main webserver process will be inactive until the issue is fixed. As a result, the domain won’t be accessible over HTTPS.

Thus, we advise checking the error log. The error message can be found there:

nerror4

Since both webservers are using an OpenSSL package by default, the text of the message is pretty same as well as the fix for it. You need to check whether certificate codes’ footers/headers are on different lines.

Then the Apache configuration files can be reloaded with the following command:

service apache2 reload

Note: All changes in configuration files as well as commands for reload should be performed either with sudo privileges or being a superuser as shown in the screenshots.

Updated
Viewed
29197 times

Need help? We're always here for you.

notmyip