1. Home
  2. Categories
  3. Support
  4. HTTPS: Failed to load certificate.

Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.

If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!

HTTPS: Failed to load certificate.

  • M

    Diagnostic Center shows follow error:

    Failed to load certificate for HTTPS connections. The key contents do not contain a PEM, the content is malformed, or the key does not match the certificate.

    System.Security.Cryptography.CryptographicException: The key contents do not contain a PEM, the content is malformed, or the key does not match the certificate.
    at System.Security.Cryptography.X509Certificates.X509Certificate2.ExtractKeyFromEncryptedPem[TAlg](ReadOnlySpan1 keyPem, ReadOnlySpan1 password, Func1 factory, Func2 import)
    at System.Security.Cryptography.X509Certificates.X509Certificate2.CreateFromEncryptedPem(ReadOnlySpan1 certPem, ReadOnlySpan1 keyPem, ReadOnlySpan1 password) at System.Security.Cryptography.X509Certificates.X509Certificate2.CreateFromEncryptedPemFile(String certPemFilePath, ReadOnlySpan1 password, String keyPemFilePath)
    at Inedo.Web.AhWebHost.<ConfigureServices>g__configureSSL|16_6(ListenOptions listenOptions)

    Certificate is accept:

    8bcd53fe-5ee3-45d3-8f04-1119cf5811ae-image.png

    And I can see configuration serverside:

    e2422447-7d0d-4622-9521-8e7c1c5b9766-image.png

    Execution according to instructions: (pem craeted from pfx)

    HTTPS Binding to a Port (Advanced) (Experimental)

    I have checked the validity of the certificate. Does anyone have a hint or tip what went wrong here.

    0 stevedennis 1 Reply
  • stevedennis
    inedo-engineer

    Hi @markus-karthaus_8928 ,

    I haven't seen that error before.

    It's coming from the .NET cryptography library, and when searching for the error message ("The key contents do not contain a PEM, the content is malformed, or the key does not match the certificate."), I'm not getting any hints on specific "gotchas" or ways to resolve the error.

    This is where the error is coming from:
    https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.createfromencryptedpem?view=net-6.0

    So I think the issue must be that the PEM is "invalid" - at least according to the library we're using. I wish I had more information on that, but perhaps you can try a different way to generate it, or try a different way to configure HTTPS.

    Cheers,
    Steve

    0
  • M

    My workaround to get an https connection is now: Change the config-file on server side to: <WebServer Enabled="true" Urls="http://:8624;https://:8625" CertFile="C:\temp\emea-ci-cd-01.pfx" Password="xyz". (pfx instead pem). Nothing change on webserver. Then https works. But webserver shows now an error.

    78b47dda-5e44-4b61-af81-fcae2ef7252c-image.png

    It is a not so nice solution but I can continue like this for now. What it really was or is, I don't know.

    0
  • rhessinger
    inedo-engineer

    Hi @markus-karthaus_8928,

    The validity check of a certificate ion ProGet is primarily to verify the certificate itself is valid, not if it is valid for ProGet. Any self-signed or internal domain certificate will be invalid by default unless the certificate or certificate authority exists in the trusted root on your server. If it is a purchased certificate, I would check that your certificate's chain is properly installed on your server. If your certificate is a valid certificate but requires a custom certificate chain (many do), that chain will need to be installed on the server for ProGet to validate that properly. A .pfx certificate does not store the certificate chain internally in the file. The browser handles the validation slightly differently, so that is most likely why it seems to work in the browser.

    When it comes to the .pem file. There are many ways to generate it, but I'm guessing the certificate chain was stored internally in the pem file, which then does not require the certificate chain to be installed on the server.

    I'm speculating on the certificate chain in these cases because seeing why your certificate is not valid requires more than the screenshots you provided. I would actually need to see your certificate itself to truly validate this.

    Lastly, when it comes to using a .pem file, .NET tends to be very picky about it's format. It is not as forgiving as other frameworks. If you look in the "HTTPS Binding to a Port (Advanced) (Experimental)" of our HTTPS Support on Windows documentation, we have instructions on how to create a .pem file from a .pfx. I'm not sure if that is what you followed, but that is the simplest way we have found to generate a .pem file that works with .NET.

    Hope this helps!

    Thanks,
    Rich

    0
Log in to reply
 
Inedo Website HomeSupport HomeCode of ConductForums GuideDocumentation