Certificate is not a valid PEM certificate

Hi

Tried to install my custom SSL certificate. Its a GoDaddy cert
I pasted my cert and private key then downloaded GoDaddy cert chain for intermediate certs.

However I can’t send the form because it says: certificate is not a valid PEM certificate

However if I put my cert to a PEM validator everything seems fine.

Any ideas?

Hard to say without being able to see your certificate. I know that feature works since I just added a test certificate to a test site successfully, but also not sure why you’d use a godaddy certificate instead of ours?

Here’s the formats you should have:

CA Chain:

-----BEGIN CERTIFICATE-----
MIIFADC[...]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[...]

Cert PEM file:

-----BEGIN CERTIFICATE-----
MIIF[...]
-----END CERTIFICATE-----

Private Key:

-----BEGIN PRIVATE KEY-----
MC[...]
-----END PRIVATE KEY-----

You may need to request a different type of certificate from Godaddy - you’d want something like apache/openssl.

So if my cert not starting like you mentioned it might be a clue that it has the wrong format?
eg: my PEM Cert starts like this: MIIG
private key starts: MI
CA: MIIEADC

Another question: the mentioned error (“Certificate is not a valid PEM certificate”) indicate that specifically my Cert is wrong, or it means that my CERT/Key/CA Chain trio is wrong as a whole?

(btw: I don’t really want to use GoDaddy instead of Netlify’s out of the box solution… I just have to…:slight_smile: )

I am facing the same issue…If you find any solution please let me know also

Hi, @Stynson and @laZZySpiDer, the following guide describes how to make a PEM format certificate file manually:

https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm

this mig

You can also check the contents of a PEM file locally using openssl like so:

openssl x509 -text -noout -in /path/to/your/certificate-file.pem

You can also use this to confirm the certificate chain is complete with this:

openssl verify /path/to/your/certificate-file.pem

Would you (both) please try testing the PEM file with openssl verify and let us know if it shows as valid?

Also, if you are interested in using the automatic Let’s Encrypt certificates instead, please let us know and we’ll be happy to assist with getting those working as an alternative if you prefer.

I run openssl verify, it only said ‘OK’ after I added a godaddy intermediate cert as a -CAfile option

openssl verify /path/to/your/certificate-file.pem

Results in: error 20 at 0 depth lookup:unable to get local issuer certificate

openssl verify -CAfile godaddy_intermediate.pem /path/to/your/certificate-file.pem

Results in OK

Hi, @Stynson.

I believe this means that you will need to also include that intermediate SSL certificate in the “Intermediate certs” field when uploading your certificate. That is the third field in the following screenshot.

Are you copying data into all three fields? Again, the intermediate certificate should be in the third field.

If the certificate still doesn’t work when this is done, please let us know.

Yea, I included my CA certificate to the third field, the same one which validated OK with openssl verify…
also tried with and without the begin and end lines for all cases
(-----BEGIN CERTIFICATE----- etc. )

Hello- We are also seeing this issue when trying to import a GoDaddy cert. It is a wildcard cert that was exported from azure. We have been successful importing it to several other services. When following the instructions here we get the error: certificate is not a valid PEM certificate


blocked out keys

I converted this from a PFX to a pem/key using open SSL:

openssl pkcs12 -in our.pfx -nocerts -out our.key
openssl pkcs12 -in our.pfx -clcerts -nokeys -out our.crt

But have had no luck. Any help would be appreciated.

FYI my cert also a GoDaddy wildcard cert exported from azure…

This is a tough one for us to debug, since we can’t see what your certs look like. The functionality does work well for others; it’s used pretty frequently so I don’t think this is a problem with our service. However, I’m not certain that error our API returns ("certificate is not a valid PEM certificate) might not be about any of the fields rather than just the pem file - so my response will consider all of your inputs.

From your screenshot, I can see that the ascii armor looks appropriate (assuming the top one starts with -----BEGIN CERTIFICATE----- where the tooltip is covering).

I assume your CA Chain (aka Intermediate certs) looks like a SERIES of these?

-----BEGIN CERTIFICATE-----
MI...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MI...
-----END CERTIFICATE-----

Since you have openssl, can you confirm what this returns on your our.crt file?

openssl x509 -in our.crt -text

Also having this issue with a PositiveSSL/ComodoSSL cert via Namecheap.

Tried the command @Stynson suggests:

 openssl verify -CAfile mysite.ca-bundle /path/to/your/mysite.crt
Results in OK

One difference is that my key type is PKCS7 (.p7b file)

-----BEGIN PKCS7-----
MI...
-----END PKCS7-----

My guess is that it the certificates are ok, but that Netlify is having trouble parsing the key format. Perhaps that is leading to some decoding issues during key checking, I’m not sure.

EDIT: For me the issue was quite silly. I was using the pkcs7 file as the key, which I think is actually some kind of alternate encoding for the certificate file(s). I’m not sure if this will be helpful but I will keep it here in case someone else is confused about all the different file types.

1 Like

awesome! thanks for sharing that nugget of information :smiley: