Discussion:
[Modules] GnuTls: Base64 unexpected header error
gnd
2009-05-20 11:42:57 UTC
Permalink
Hello,

we recently moved some websites to another server. One of the websites has
a certificate issued by Equifax, its a QuickSSL Premium programme.

When we moved the site to the other server, i copied the certificate and
the private key as well. The problem is that when im trying to start
apache with the old key & cert i get this error:

Syntax error on line 143 of /etc/apache2/sites-enabled/vhosts.conf:
GnuTLS: Failed to Import Private Key '/etc/apache2/ssl.key/xxx_real.key':
(-207) Base64 unexpected header error.
failed!

apache wont start. the conf looks like this:

GnuTLSEnable on
GnuTLSPriorities NORMAL
DocumentRoot ....
ServerName xxx.com:443
GnuTLSCertificateFile /etc/apache2/ssl.crt/xxx_old.crt
GnuTLSKeyFile /etc/apache2/ssl.key/xxx_old.key

When i try to verify the cert and the privkey with the openssl utility -
its OK. Maybe the problem is that on the old server we had a different
version of openssl and we were using mod_ssl instead of mod_gnutls ??

Thank you for answers,

gnd/
Simon Josefsson
2009-05-20 10:38:54 UTC
Permalink
Post by gnd
Hello,
we recently moved some websites to another server. One of the websites has
a certificate issued by Equifax, its a QuickSSL Premium programme.
When we moved the site to the other server, i copied the certificate and
the private key as well. The problem is that when im trying to start
(-207) Base64 unexpected header error.
failed!
GnuTLSEnable on
GnuTLSPriorities NORMAL
DocumentRoot ....
ServerName xxx.com:443
GnuTLSCertificateFile /etc/apache2/ssl.crt/xxx_old.crt
GnuTLSKeyFile /etc/apache2/ssl.key/xxx_old.key
When i try to verify the cert and the privkey with the openssl utility -
its OK. Maybe the problem is that on the old server we had a different
version of openssl and we were using mod_ssl instead of mod_gnutls ??
Can you run 'certtool -k' on the key file? It may be that GnuTLS cannot
parse it. Don't paste the output into an e-mail, or you'll have to
revoke the certificate..

/Simon
gnd
2009-05-20 11:55:38 UTC
Permalink
Hello,

certtool gives me the info without any problems, so i suppose it can parse
the private key ...

regards,

gnd/
Post by Simon Josefsson
Post by gnd
Hello,
we recently moved some websites to another server. One of the websites has
a certificate issued by Equifax, its a QuickSSL Premium programme.
When we moved the site to the other server, i copied the certificate and
the private key as well. The problem is that when im trying to start
GnuTLS: Failed to Import Private Key
(-207) Base64 unexpected header error.
failed!
GnuTLSEnable on
GnuTLSPriorities NORMAL
DocumentRoot ....
ServerName xxx.com:443
GnuTLSCertificateFile /etc/apache2/ssl.crt/xxx_old.crt
GnuTLSKeyFile /etc/apache2/ssl.key/xxx_old.key
When i try to verify the cert and the privkey with the openssl utility -
its OK. Maybe the problem is that on the old server we had a different
version of openssl and we were using mod_ssl instead of mod_gnutls ??
Can you run 'certtool -k' on the key file? It may be that GnuTLS cannot
parse it. Don't paste the output into an e-mail, or you'll have to
revoke the certificate..
/Simon
gnd
2009-05-20 14:51:31 UTC
Permalink
hello,

I investigated further on the private key. Its obtained from the provider
1&1 via some free SSL certificate giveaway that is a deal with Geotrust ..

So the problem with the key is that its not generated by us, but its
generated by either 1&1 or Geotrust - which provides the certificate to
it.

Another thing is that the key length is different from the keys that we
generated by ourselves. Our private keys are 1024 bit RSA with the size of
887 bytes, whilst the key from 1&1 has a size of 912 bytes. Also its
starting with "-----BEGIN PRIVATE KEY-----" instead of "-----BEGIN RSA
PRIVATE KEY-----".

When i do a certtool -d9 -k on the key i get this kind of info from the
certtool:

|<2>| ASSERT: x509_b64.c:452
|<2>| Could not find '-----BEGIN RSA PRIVATE KEY'
|<2>| ASSERT: x509_b64.c:452
|<2>| Could not find '-----BEGIN DSA PRIVATE KEY'
|<2>| ASSERT: privkey.c:378
(here it prints out key info)

So the key is in some format that cant be read by mod_gnutls. Do you have
any idea what format it could be ?

thank you,

gnd/
Post by Simon Josefsson
Post by gnd
Hello,
we recently moved some websites to another server. One of the websites has
a certificate issued by Equifax, its a QuickSSL Premium programme.
When we moved the site to the other server, i copied the certificate and
the private key as well. The problem is that when im trying to start
GnuTLS: Failed to Import Private Key
(-207) Base64 unexpected header error.
failed!
GnuTLSEnable on
GnuTLSPriorities NORMAL
DocumentRoot ....
ServerName xxx.com:443
GnuTLSCertificateFile /etc/apache2/ssl.crt/xxx_old.crt
GnuTLSKeyFile /etc/apache2/ssl.key/xxx_old.key
When i try to verify the cert and the privkey with the openssl utility -
its OK. Maybe the problem is that on the old server we had a different
version of openssl and we were using mod_ssl instead of mod_gnutls ??
Can you run 'certtool -k' on the key file? It may be that GnuTLS cannot
parse it. Don't paste the output into an e-mail, or you'll have to
revoke the certificate..
/Simon
Nikos Mavrogiannopoulos
2009-05-20 13:55:30 UTC
Permalink
Post by gnd
hello,
I investigated further on the private key. Its obtained from the provider
1&1 via some free SSL certificate giveaway that is a deal with Geotrust ..
So the problem with the key is that its not generated by us, but its
generated by either 1&1 or Geotrust - which provides the certificate to
it.
Another thing is that the key length is different from the keys that we
generated by ourselves. Our private keys are 1024 bit RSA with the size of
887 bytes, whilst the key from 1&1 has a size of 912 bytes. Also its
starting with "-----BEGIN PRIVATE KEY-----" instead of "-----BEGIN RSA
PRIVATE KEY-----".
It seems it is a PKCS #8 key. You can convert it to a format that
mod_gnutls should be able to read
using certtool -k. However which version of gnutls do you use? Newer
versions seem to autodetect the
private key file.

regards,
Nikos
gnd
2009-05-20 15:27:38 UTC
Permalink
hello,
Post by Nikos Mavrogiannopoulos
However which version of gnutls do you use? Newer
versions seem to autodetect the
private key file.
im running Debian and the installed mod_gnutls is:

Package: libapache2-mod-gnutls
Priority: extra
Section: httpd
Installed-Size: 80
Maintainer: Jack Bates <ms419 at freezone.co.uk>
Architecture: i386
Source: mod-gnutls
Version: 0.5.2-1
Depends: libc6 (>= 2.7-1)
Filename: pool/main/m/mod-gnutls/libapache2-mod-gnutls_0.5.2-1_i386.deb
Size: 25824
Post by Nikos Mavrogiannopoulos
It seems it is a PKCS #8 key. You can convert it to a format that
mod_gnutls should be able to read
using certtool -k.
I tried to convert the key with:
certtool --generate-privkey --infile xxx_real.key --outfile key.pem

and its working, insofar as apache will start up, but the website is not
working because of:

An error occurred during a connection to www.mobivita.com.
Peer's certificate has an invalid signature.
(Error code: sec_error_bad_signature)
(this is what firefox tells me).

Maybe i did not convert the key correctly ?

regards,

gnd/
Post by Nikos Mavrogiannopoulos
regards,
Nikos
Simon Josefsson
2009-05-20 14:26:35 UTC
Permalink
Post by gnd
Post by Nikos Mavrogiannopoulos
It seems it is a PKCS #8 key. You can convert it to a format that
mod_gnutls should be able to read
using certtool -k.
certtool --generate-privkey --infile xxx_real.key --outfile key.pem
and its working, insofar as apache will start up, but the website is not
An error occurred during a connection to www.mobivita.com.
Peer's certificate has an invalid signature.
(Error code: sec_error_bad_signature)
(this is what firefox tells me).
Maybe i did not convert the key correctly ?
That command generates a new key, it does not convert your existing key.
So signature failures is expected. Try:

certtool -k < oldkey.pem > newkey.pem

/Simon
gnd
2009-05-21 07:56:41 UTC
Permalink
Hello,
Post by Simon Josefsson
That command generates a new key, it does not convert your existing key.
certtool -k < oldkey.pem > newkey.pem
^^ this helped, thank you very much for advices. I have another question -
the version of mod_gnutls which i provided in former email - should it or
should it not autodetect the key type ?

kind regards,

gnd/
Nikos Mavrogiannopoulos
2009-05-21 11:09:27 UTC
Permalink
It is gnutls (not mod_gnutls) that does the auto-detection. Thus
please specify the version you have in your system.

regards,
Nikos
Post by gnd
Hello,
Post by Simon Josefsson
That command generates a new key, it does not convert your existing key.
certtool -k < oldkey.pem > newkey.pem
^^ this helped, thank you very much for advices. I have another question -
the version of mod_gnutls which i provided in former email - should it or
should it not autodetect the key type ?
kind regards,
gnd/
gnd
2009-05-21 12:24:56 UTC
Permalink
Hello,

dpkg shows me this:

ii gnutls-bin 2.6.6-1 the GNU
TLS library - commandline utilities
ii gnutls-doc 2.6.6-1 the GNU
TLS library - documentation and exam
ii libgnutls13 2.0.4-4 the GNU
TLS library - runtime library
ii libgnutls26 2.6.6-1 the GNU
TLS library - runtime library


regards,

gnd/
Post by Nikos Mavrogiannopoulos
It is gnutls (not mod_gnutls) that does the auto-detection. Thus
please specify the version you have in your system.
regards,
Nikos
Post by gnd
Hello,
Post by Simon Josefsson
That command generates a new key, it does not convert your existing key.
certtool -k < oldkey.pem > newkey.pem
^^ this helped, thank you very much for advices. I have another question -
the version of mod_gnutls which i provided in former email - should it or
should it not autodetect the key type ?
kind regards,
gnd/
Nikos Mavrogiannopoulos
2009-05-21 17:56:54 UTC
Permalink
Post by gnd
Hello,
ii gnutls-bin 2.6.6-1 the GNU
TLS library - commandline utilities
ii gnutls-doc 2.6.6-1 the GNU
TLS library - documentation and exam
ii libgnutls13 2.0.4-4 the GNU
TLS library - runtime library
ii libgnutls26 2.6.6-1 the GNU
TLS library - runtime library
could it be that mod_gnutls is using libgnutls13? Could you check the
output of ldd path/to/mod_gnutls.so?

regards,
Nikos
Nikos Mavrogiannopoulos
2009-05-21 18:01:42 UTC
Permalink
Post by gnd
Hello,
ii gnutls-bin 2.6.6-1 the GNU
TLS library - commandline utilities
ii gnutls-doc 2.6.6-1 the GNU
TLS library - documentation and exam
ii libgnutls13 2.0.4-4 the GNU
TLS library - runtime library
ii libgnutls26 2.6.6-1 the GNU
TLS library - runtime library
Sorry it seems that mod_gnutls doesn't use the gnutls' functions that do
the autodetection. The next release will support it.

regards,
Nikos
Sat Forum
2011-06-17 21:18:46 UTC
Permalink
Hi,
I assume, that You have encrypted private key.
You can check it by:
$ head -n 1 serverkey.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----

Then decrypt by:
$ openssl rsa -in serverkey.pem -out serverkeynew.pem

Best regard

Loading...