When Nginx throws the SSL_CTX_use_PrivateKey_file() failed error with the message about PEM routines, it's typically one of these three core issues:
1. Malformed key file (missing BEGIN/END markers or incorrect encoding)
2. Permission/ownership problems
3. Path resolution issue in Nginx configuration
First, let's verify the key file structure. A proper RSA private key should look like:
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC4J4nX6p+G5fYJ
...
VJ5QIDAQABAoIBAFBHY8vS4w==
-----END PRIVATE KEY-----
OR for older formats:
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAuCeJ1+qfhuX2Cb...
...
VJ5QIDAQABAoIBAFBHY8vS4w==
-----END RSA PRIVATE KEY-----
Run these commands to inspect your key:
# Check key format
openssl rsa -in cert.key -check -noout
# Verify key matches certificate
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in cert.key | openssl md5
Here's a battle-tested SSL configuration template:
server {
listen 443 ssl http2;
server_name my.domain.com;
# Absolute paths are more reliable
ssl_certificate /etc/nginx/conf.d/cert.pem;
ssl_certificate_key /etc/nginx/conf.d/cert.key;
# Modern SSL configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:...';
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
location / {
proxy_pass http://upstream1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
Even with 600 permissions, try:
chown nginx:nginx /etc/nginx/conf.d/cert.*
chmod 400 /etc/nginx/conf.d/cert.*
restorecon -Rv /etc/nginx/conf.d/
If your key came in different format (PKCS#12, DER, etc.):
# Convert DER to PEM
openssl rsa -inform DER -in cert.key -out cert.pem
# Extract from PKCS12
openssl pkcs12 -in bundle.pfx -nocerts -nodes -out key.pem
Enable deeper SSL debugging:
# Add to nginx.conf
error_log /var/log/nginx/error.log debug;
Then check logs with:
tail -f /var/log/nginx/error.log | grep -i ssl
When configuring SSL/TLS on Nginx, one of the most frustrating errors is the PEM_read_bio:no start line message. This typically occurs during server restart attempts, indicating Nginx can't properly parse your private key file.
Before diving into solutions, let's confirm your environment matches this specific case:
- Files have 600 permissions (
rw-------) - Certificates validate on third-party tools
- No visible corruption in key files
- Standard 64-character line length
Your current config looks correct at first glance:
server {
listen 443;
server_name my.domain.com;
ssl on;
ssl_certificate conf.d/cert.pem;
ssl_certificate_key conf.d/cert.key;
...
}But let's examine some hidden pitfalls.
From debugging similar cases, these are the most likely culprits:
1. File Format Issues
Despite correct line length, the file might have:
- Incorrect line endings (DOS vs UNIX)
- Hidden BOM characters
- Missing BEGIN/END markers
Run this diagnostic command:
file -b /etc/nginx/conf.d/cert.key
hexdump -C /etc/nginx/conf.d/cert.key | head -52. Encoding Problems
Try converting the key:
openssl rsa -in cert.key -out cert_new.key3. Path Resolution
In Nginx configurations, paths can be tricky. Try absolute paths:
ssl_certificate /etc/nginx/conf.d/cert.pem;
ssl_certificate_key /etc/nginx/conf.d/cert.key;To completely rule out key issues:
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in cert.key | openssl md5The MD5 hashes must match for valid pairs.
Here's a working configuration template:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:...;
location / {
proxy_pass http://backend;
include proxy_params;
}
}