Certificate is not a valid PEM certificate

Sounds like Netlify is also hosting your website then - browsers don’t contact GitHub, they contact Netlify, right? There is a competing product called “GitHub Pages” so this isn’t just me playing stupid, it’s a frequent confusion: “I use netlify to BUILD my site, save to GitHub who serves it to browsers” or “GitHub hosts my source code, but Netlify builds it and hosts the website”.

As regards hostname, I was wondering the DNS hostname, rather than the netlify hostname, but I can see that that netlify site has a hostname set.

That hostname is currently hosted entirely at namecheap; you’ll have to turn off the “parking” feature there and follow DNS instructions like these, if you want us to host the site instead:

$ host YOURREALHOSTNAME
YOURREALHOSTNAME is an alias for parkingpage.namecheap.com.
parkingpage.namecheap.com has address 198.54.117.217
parkingpage.namecheap.com has address 198.54.117.210
parkingpage.namecheap.com has address 198.54.117.218
parkingpage.namecheap.com has address 198.54.117.215
parkingpage.namecheap.com has address 198.54.117.212
parkingpage.namecheap.com has address 198.54.117.216
parkingpage.namecheap.com has address 198.54.117.211

Once you decide to turn off parking at Namecheap, let me know if you’d like me to re-examine to try to re-advise!

Sounds like Netlify is also hosting your website then - browsers don’t contact GitHub, they contact Netlify, right?

Yeah, apologies for the poorly worded answers.

That hostname is currently hosted entirely at namecheap; you’ll have to turn off the “parking” feature there and follow DNS instructions like these, if you want us to host the site instead

Okay, I’ll look into that.

you’ll have to turn off the “parking” feature there and follow DNS instructions like these

I’ve done that, what should be the target? I suppose it would be mberkmann.dev?

Nope, you’ll follow this guidance for best performance:

(apologies - I had meant to link that in my last response!)

write please.

rootca
subca

this form

Hi, @wees. I’m not sure what you are stating or asking above. Would you please explain in more detail?

What did you provide as Private Key while setting custom certificate?

I am facing the exact issue you were. Here is a link to the topic I raised :
https://answers.netlify.com/t/error-dns-probe-finished-nxdomain-for-namecheap-domain/38164

1 Like

Thanks for sharing that link, @Hitesh_Abichandani :slight_smile: For any future members reading this thread, the above link contains a solution, so check it out!

@fool @hillary
I am facing the same issue “Certificate is not a valid PEM certificate”. Nothing seems to work for me.

This is what I did:
Connected Gitlab repo , used custom domain and launched draft version of our website. Default Let’s Encrypt cert was issue for our domain by Netlify.
When I tried to add custom Godaddy ssl cert, I am getting the error mentioned.
I verified the certs provided by Godaddy, all are valid (pem, private key, intermediate).
I did follow this thread and checked/tried diff methods, but nothing solved the issue.
I am lost on how to fix this. Please help.

Hi @devopstoday11,

We’re equally at a loss here as we don’t have or can’t see your certificate to test this ourselves.

But you could help us and yourself reach a conclusion:

How did you verify this? As already mentioned above, this works fine for almost everyone and the complaints that you’ve seen never reached a good conclusion.

A lot of the complaints also seem to be from GoDaddy users only. Could you try to see if you can get some other SSL it works fine?

We had the same issue with Netlify saying “Certificate is not a valid PEM certificate” when we were trying to update our wildcard SSL certificate yesterday.

I ended up giving up and switching to Let’s Encrypt because our certificate was expiring today. Sort of out of luck, the site wasn’t loading with the Let’s Encrypt certificate in the Domain Settings so I went back in and tried to upload our custom certificate again, just like yesterday.

It worked this time!!

So, I have no idea if this will help anyone else, but the next person who runs into this, I would recommend switching to a Let’s Encrypt certificate and then afterward, try your custom certificate again.

Would love to hear if that works for anyone.

1 Like

Thanks so much for chiming in and sharing this suggestion with us, @techit. We are glad that this worked for you!

Thank you for sharing this! Unfortunately this didn’t solve my issue and I get the same error message. It a clear issue on Netlify’s end.

Hey there, @x0Z3ro0x :wave:

Sorry to hear the above solutions didn’t help you. Are you looking for further assistance? If so, I would recommend starting with this link, that covers how to create a PEM certificate manually. If that doesn’t help, we will need the following information from you:

  1. tell us how your site is hosted in detail. “code lives on github, I build by X, and webservers contact service Y”.
  2. tell us your actual hostname (no matter who hosts it :)), so we can examine your config.
  3. The first 5 or 6 characters of your certificate and key, preferably in the format that @TwinThread or @Berkmann18 did above. If you are not comfortable sharing this publicly, you can DM it to me. Please note, however, that this may result in a slower response time due to staffing changes over the weekend.

Thanks!

I got the exactly same problem as @TwinThread .

The fix for me is to change my encrypted private key to RSA private key.

if you have pfx file, you can use openssl to generate your private key

openssl pkcs12 -in x.pfx -nocerts -nodes -passin pass:123456 | openssl rsa -out privkey.pem

open your private key file and you should see

-----BEGIN RSA PRIVATE KEY-----

and paste the RSA private key.

2 Likes

This was super helpful. My problem ended up not realizing my private key was encrypted. In addition, I didn’t realize the root cert also needed to be part of the intermediates.

For others that had issues, I found locally validating the cert and private key before uploading helped out a lot.

For finding the intermediate certs, I printed out the metadata for the cert I wanted to upload, searched for the link to the cert that signed it and repeated this process until I reached a root cert.

openssl x509 -in the.crt -text

After getting the intermediate certs, I concatenated them all in a .pem file in order with the root cert last, then validated that the content in that file was sufficient using the following command. (The .pem file format can be found here https://www.digicert.com/kb/ssl-support/pem-ssl-creation.htm)

openssl verify -CAfile intermediates.pem your.crt

Consult this for how to validate a private key: https://www.sectigo.com/faqs/detail/How-do-I-verify-that-a-private-key-matches-a-certificate-OpenSSL-1527076112539/kA01N000000zFTR