[Modules] GnuTls: Base64 unexpected header error

gnd at itchybit.org gnd at itchybit.org
Wed May 20 10:51:31 EDT 2009


I investigated further on the private key. Its obtained from the provider
1&1 via some free SSL certificate giveaway that is a deal with Geotrust ..

So the problem with the key is that its not generated by us, but its
generated by either 1&1 or Geotrust - which provides the certificate to

Another thing is that the key length is different from the keys that we
generated by ourselves. Our private keys are 1024 bit RSA with the size of
887 bytes, whilst the key from 1&1 has a size of 912 bytes. Also its
starting with "-----BEGIN PRIVATE KEY-----" instead of "-----BEGIN RSA

When i do a certtool -d9 -k on the key i get this kind of info from the

|<2>| ASSERT: x509_b64.c:452
|<2>| Could not find '-----BEGIN RSA PRIVATE KEY'
|<2>| ASSERT: x509_b64.c:452
|<2>| Could not find '-----BEGIN DSA PRIVATE KEY'
|<2>| ASSERT: privkey.c:378
(here it prints out key info)

So the key is in some format that cant be read by mod_gnutls. Do you have
any idea what format it could be ?

thank you,


> gnd at itchybit.org writes:
>> Hello,
>> we recently moved some websites to another server. One of the websites
>> has
>> a certificate issued by Equifax, its a QuickSSL Premium programme.
>> When we moved the site to the other server, i copied the certificate and
>> the private key as well. The problem is that when im trying to start
>> apache with the old key & cert i get this error:
>> Syntax error on line 143 of /etc/apache2/sites-enabled/vhosts.conf:
>> GnuTLS: Failed to Import Private Key
>> '/etc/apache2/ssl.key/xxx_real.key':
>> (-207) Base64 unexpected header error.
>>  failed!
>> apache wont start. the conf looks like this:
>>         GnuTLSEnable on
>>         GnuTLSPriorities NORMAL
>>         DocumentRoot ....
>>         ServerName xxx.com:443
>>         GnuTLSCertificateFile /etc/apache2/ssl.crt/xxx_old.crt
>>         GnuTLSKeyFile /etc/apache2/ssl.key/xxx_old.key
>> When i try to verify the cert and the privkey with the openssl utility -
>> its OK. Maybe the problem is that on the old server we had a different
>> version of openssl and we were using mod_ssl instead of mod_gnutls ??
> Can you run 'certtool -k' on the key file?  It may be that GnuTLS cannot
> parse it.  Don't paste the output into an e-mail, or you'll have to
> revoke the certificate..
> /Simon

More information about the Modules mailing list