ERROR OpenSSL : error code: 151584876 in ../crypto/pem/pem_lib.c, line 745 for SP Signing Certificate

Christopher Bongaarts cab at umn.edu
Mon Nov 28 22:41:29 UTC 2022 

Note that the filenames in the debug log do not match the filenames in 
your shibboleth2.xml file, which suggests the file you're looking at is 
not the one that shibd is actually using.  The log says it is reading 
from /etc/shibboleth/shibboleth2.xml.

The other possibility is that the contents of the key or cert files are 
not in the expected format. If something happened to the files, you can 
generate new ones using the keygen script:

https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2067398706/keygen

The log messages are consistent with the certificate file containing a 
private key instead of a certificate.

On 11/28/2022 3:36 PM, Bhagwat, Shrikant wrote:
>
> Below is from shibboleth2.xml file
>
>   <!-- Simple file-based resolvers for separate signing/encryption 
> keys. -->
>
>         <CredentialResolver type="File" use="signing"
>
>             key="sp-signing-key.pem" certificate="sp-signing-cert.pem"/>
>
>         <CredentialResolver type="File" use="encryption"
>
>             key="sp-encrypt-key.pem" certificate="sp-encrypt-cert.pem"/>
>
> This is what is getting loaded
>
> Why we are getting error : 151584876 in ../crypto/pem/pem_lib.c, line 745
>
> *From:* Christopher Bongaarts <cab at umn.edu>
> *Sent:* Monday, November 28, 2022 4:11 PM
> *To:* Shib Users <users at shibboleth.net>
> *Cc:* Bhagwat, Shrikant <shrbhagw at med.umich.edu>
> *Subject:* Re: ERROR OpenSSL : error code: 151584876 in 
> ../crypto/pem/pem_lib.c, line 745 for SP Signing Certificate
>
> *External Email - Use Caution *
>
> On 11/28/2022 1:27 PM, Bhagwat, Shrikant via users wrote:
>
>     2022-11-28 18:58:49 INFO XMLTooling.SecurityHelper : loading
>     private key from file (/etc/shibboleth/sp-encrypt-key.pem)
>
>     2022-11-28 18:58:49 INFO XMLTooling.SecurityHelper : loading
>     certificate(s) from file (/etc/shibboleth/sp-encrypt-key.pem)
>
>     2022-11-28 18:58:49 ERROR OpenSSL : error code: 151584876 in
>     ../crypto/pem/pem_lib.c, line 745
>
>     2022-11-28 18:58:49 ERROR OpenSSL : error data: Expecting: CERTIFICATE
>
>     2022-11-28 18:58:49 ERROR XMLTooling.CredentialResolver.Chaining :
>     caught exception processing embedded CredentialResolver element:
>     Unable to load certificate(s) from file
>     (/etc/shibboleth/sp-encrypt-key.pem).
>
>     [...]
>     Any Idea ?
>
> Looks like you're trying to load a private key file as the certificate 
> - you probably want sp-encrypt-cert.pem instead for the cert file in 
> your CredentialResolver.
>
> -- 
> %%  Christopher A. Bongaarts   %%cab at umn.edu           %%
> %%  OIT - Identity Management  %%http://umn.edu/~cab   %%
> %%  University of Minnesota    %%  +1 (612) 625-1809    %%
>
> **********************************************************
> Electronic Mail is not secure, may not be read every day, and should 
> not be used for urgent or sensitive issues
>

-- 
%%  Christopher A. Bongaarts   %%cab at umn.edu           %%
%%  OIT - Identity Management  %%http://umn.edu/~cab   %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20221128/1ef126c6/attachment.htm>

More information about the users mailing list