When working with CentOS 5.x systems (though I'd strongly recommend upgrading to a supported version), the "header too long" error typically indicates an ASN.1 parsing issue in your certificate file. This happens when OpenSSL's ASN.1 decoder encounters malformed data in the certificate header.
The error commonly occurs when:
- The certificate file contains invalid characters (like Windows line endings)
- The file is corrupted during transfer
- There's unexpected whitespace in the PEM headers
- The certificate chain is improperly formatted
First, verify your certificate's validity:
openssl x509 -in /etc/pki/tls/certs/ssl_certificate.crt -text -nooutIf this fails, try examining the raw file:
hexdump -C /etc/pki/tls/certs/ssl_certificate.crt | head -20Solution 1: Reformat the certificate
Convert between PEM/DER formats:
# If PEM to DER
openssl x509 -in cert.pem -outform der -out cert.der
# If DER to PEM
openssl x509 -inform der -in cert.der -out cert.pemSolution 2: Fix line endings
Convert DOS to Unix format:
dos2unix /etc/pki/tls/certs/ssl_certificate.crtSolution 3: Verify certificate chain
A complete chain should look like:
-----BEGIN CERTIFICATE-----
[Your certificate]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Intermediate CA]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[Root CA]
-----END CERTIFICATE-----Ensure your httpd.conf contains proper directives:
SSLCertificateFile /etc/pki/tls/certs/ssl_certificate.crt
SSLCertificateKeyFile /etc/pki/tls/private/your_key.key
SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crtFor stubborn cases, increase OpenSSL verbosity:
export SSL_CERT_DIR=/etc/pki/tls/certs
openssl s_client -connect yourdomain:443 -showcerts -debugCheck for related system libraries:
ldd /usr/sbin/httpd | grep ssl
rpm -qa | grep opensslWhen working with SSL certificates in CentOS 5.x's Apache HTTPD server, you might encounter this specific OpenSSL error. The error typically occurs when the server fails to parse the certificate file during startup.
[error] Init: Unable to read server certificate from file /etc/pki/tls/certs/ssl_certificate.crt
[error] SSL Library Error: 218570875 error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long
First, verify the certificate file's integrity. Run these commands:
# Check certificate content
cat /etc/pki/tls/certs/ssl_certificate.crt
# Verify certificate format
openssl x509 -in /etc/pki/tls/certs/ssl_certificate.crt -text -noout
Common issues that trigger this error:
- Incorrect file encoding (Windows vs Unix line endings)
- Malformed certificate chain
- Certificate file contains extra characters
- Improper concatenation of certificates
1. Convert Certificate Format:
# Convert DOS to Unix format if needed
dos2unix /etc/pki/tls/certs/ssl_certificate.crt
# Alternative conversion method
tr -d '\r' < original.crt > fixed.crt
2. Verify Certificate Chain Order:
# The correct order should be:
# -----BEGIN CERTIFICATE-----
# (Your Primary SSL certificate)
# -----END CERTIFICATE-----
# -----BEGIN CERTIFICATE-----
# (Intermediate CA certificate)
# -----END CERTIFICATE-----
# -----BEGIN CERTIFICATE-----
# (Root CA certificate, if needed)
# -----END CERTIFICATE-----
Use OpenSSL's s_server for testing:
openssl s_server -cert /etc/pki/tls/certs/ssl_certificate.crt -key /etc/pki/tls/private/ssl_key.key -www
Then test in another terminal:
openssl s_client -connect localhost:4433 -showcerts
Ensure your httpd.conf contains proper directives:
SSLCertificateFile /etc/pki/tls/certs/ssl_certificate.crt
SSLCertificateKeyFile /etc/pki/tls/private/ssl_key.key
SSLCertificateChainFile /etc/pki/tls/certs/intermediate.crt
Remember to restart Apache after changes:
service httpd restart