Fixing Nginx SSL Error “PEM_read_bio:no start line” – Certificate Chain Setup Guide


4 views

When working with Nginx SSL configurations, the "no start line" error typically indicates that your certificate file isn't properly formatted as a PEM file. This can happen when:

  • The file contains invisible characters or BOM markers
  • The certificate chain is improperly concatenated
  • The file uses incorrect line endings (CRLF vs LF)
  • The actual content isn't a valid PEM certificate

First, let's verify the certificate files are properly structured. Run these commands:

# Check certificate file
openssl x509 -in cleantechlms.crt -text -noout

# Check private key
openssl rsa -in cleantechlms.key -check

If either command fails, your files need correction. A proper PEM file should look like:

-----BEGIN CERTIFICATE-----
MIIFazCCBFOgAwIBAgISA5ZJtYwBkUgPQNFX9Q7RZ3k4MA0GCSqGSIb3DQEBCwUA
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFazCCBFOgAwIBAgISA5ZJtYwBkUgPQNFX9Q7RZ3k4MA0GCSqGSIb3DQEBCwUA
...
-----END CERTIFICATE-----

The correct order for concatenating certificates is:

  1. Your domain certificate (cleantechlms.crt)
  2. Intermediate certificates
  3. Root certificate (usually not needed)

Here's how to properly create the chain file:

cat domain.crt intermediate1.crt intermediate2.crt > cleantechlms.crt

Here's an optimized Nginx SSL configuration that avoids common pitfalls:

server {
    listen 443 ssl;
    server_name a-fake-url.com;
    
    ssl_certificate /opt/nginx/conf/cleantechlms.crt;
    ssl_certificate_key /opt/nginx/conf/cleantechlms.key;
    
    # Modern SSL configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256...';
    
    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    
    # Other settings
    root /file/path/public;
    passenger_enabled on;
}

If you're still encountering issues, try these debugging steps:

# Check file encoding
file -i cleantechlms.crt

# Convert DOS line endings to UNIX
dos2unix cleantechlms.crt

# Verify file permissions
ls -l /opt/nginx/conf/cleantechlms.*
chmod 644 cleantechlms.crt
chmod 600 cleantechlms.key

If you're working with PFX files, convert them properly:

# Extract private key
openssl pkcs12 -in certificate.pfx -nocerts -out cleantechlms.key -nodes

# Extract certificate chain
openssl pkcs12 -in certificate.pfx -nokeys -out cleantechlms.crt

Remember that Nginx requires PEM format, so always convert other formats before use.

When configuring SSL certificates in Nginx, one of the most common errors developers encounter is:

SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib

This error typically occurs when Nginx cannot properly read your certificate file. The most frequent causes are:

  • Incorrect certificate file format
  • Missing BEGIN/END certificates markers
  • Improper chain certificate ordering
  • Hidden characters or encoding issues

For a complete SSL configuration, your certificate file should contain:

-----BEGIN CERTIFICATE-----
(Your Primary SSL Certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate CA Certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root CA Certificate)
-----END CERTIFICATE-----

First, verify your certificate files using OpenSSL:

openssl x509 -in cleantechlms.crt -text -noout
openssl rsa -in cleantechlms.key -check

Check for common file issues:

file cleantechlms.crt
dos2unix cleantechlms.crt  # Convert Windows line endings if needed

Here's a properly configured server block:

server {
    listen 443 ssl;
    server_name a-fake-url.com;
    
    ssl_certificate /opt/nginx/conf/cleantechlms.crt;
    ssl_certificate_key /opt/nginx/conf/cleantechlms.key;
    
    # Modern SSL configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384...';
    
    # Other directives...
}

Create a verification script to check your setup:

#!/bin/bash
# Verify certificate chain
openssl verify -CAfile /opt/nginx/conf/cleantechlms.crt /opt/nginx/conf/cleantechlms.crt

# Test Nginx configuration
nginx -t

# Check SSL handshake
openssl s_client -connect localhost:443 -servername a-fake-url.com -showcerts
  • Certificate Order: Always place your server certificate first, followed by intermediates
  • File Encoding: Ensure files are in ASCII/PEM format, not binary DER
  • Hidden Characters: Use cat -v to detect non-printable characters
  • Permissions: Key files should be readable only by root: chmod 400 cleantechlms.key

For persistent issues, enable debug logging in Nginx:

error_log /var/log/nginx/error.log debug;
ssl_ciphers 'ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP';

And examine the debug output for specific OpenSSL errors.