1

I bought a Gandi.net SSL certificate and I'm following this tutorial.

  1. I created the key file.
  2. then transformed it to CSR
  3. then added it to Gandi website and waited for the CRT.
  4. then removed the password from the key ===> result : [FINAL KEY]
  5. then merged the CRT and the FINAL KEY into one file ==> result : [FINAL PEM]
  6. then heroku ssl:add final_pem final_key --app app_name

and... got Pem is invalid / Key doesn't match the Pem certificate.

I tried 3 times and I really don't know what's going one.

Can you help ?

Jane
  • 11
  • 1
  • 2
  • What's the `.pem` file look like now? (don't include the private key's data) – Shane Madden Jan 06 '12 at 04:29
  • it containes a certificate and an RSA private key `-----BEGIN CERTIFICATE----- MIIE6DCCA9CgAwIBAgIRANqDI....XXXXX.......-----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAuEBA8IsNq2 ... XXXXXXXXXXX ......-----END RSA PRIVATE KEY-----` – Jane Jan 06 '12 at 04:32
  • Does it work if you don't remove the password from the key? What parameters in openssl did you use to strip the password from your key? Try just generating a key without a password in the first place and see if that works. – SimonJGreen Jan 07 '12 at 16:56

3 Answers3

2

I think I may have run into a similar issue when attempting to use a Gandi certificate on Heroku. Heroku kept on complaining that my PEM file didn't match my key, and running openssl x509 -noout -modulus -in example.com.crt gave me an "unable to load certificate" error.

The issue in my case was very simple: when I downloaded the certificate from Gandi, there was an extra blank line between the certificate text and the "--END CERTIFICATE..." line:

ghjg86GHHJ47Nmmmaiuoj8bUW8bbn/9w78sTxuguHQWjhuhuQWQhuybyyA==

-----END CERTIFICATE-----

When I deleted the blank line, everything worked perfectly:

ghjg86GHHJ47Nmmmaiuoj8bUW8bbn/9w78sTxuguHQWjhuhuQWQhuybyyA==
-----END CERTIFICATE-----

I think when you create the final PEM file that you want to concatenate your certificate and your CA's certificate, not your certificate and your private key:

cat example.com.crt certificate-issuer.com.pem > example.com.pem

Finally, I found http://blog.bloom.io/2011/09/16/https-ssl-table-stakes/ very helpful with the whole process.

jplewicke
  • 21
  • 2
  • Thanks for that - made me take a 2nd look at the files, my cert file was cut and paste from an email, lost a few important characters... – house9 Jan 20 '13 at 00:48
2

Don't know if this is relevant any more, but I had similar issues using Heroku SSL Endpoint and ended up making a blog post about it:

http://starvingdeveloper.wordpress.com/2012/09/18/comodo-ev-ssl-with-heroku-if-you-did-it-wrong-the-first-time/

EDIT: With Heroku, you need to make sure that your certificates are in the correct order. If you have already pushed/added a certificate that is messed up, you can try arranging them in different orders (not efficient, but it gets the job done), and you can check out Heroku SSL doctor and utilize the "bypass" option to forego the usual show-stoppers that will allow you to add/update the new cert(s).

TL;DR => when using Heroku SSL Endpoint, be sure to make sure you include the whole bundle and make sure the contents of that bundle are in the correct order. Try Heroku SSL doctor if you are having problems.

rpearce
  • 121
  • 3
  • 1
    Welcome to Server Fault! Whilst this may theoretically answer the question, [it would be preferable](http://meta.stackexchange.com/q/8259) to include the essential parts of the answer here, and provide the link for reference. – Scott Pack Sep 24 '12 at 17:01
  • I have updated my original post. Hopefully it helps somebody :) – rpearce Oct 15 '12 at 18:24
  • +1 for Heroku SSL doctor – Troy Dec 19 '12 at 01:09
0

I got my certs from another provider but I kept my public cert and private key in separate files and it worked.

Sam
  • 209
  • 1
  • 2
  • 9