UI not loading on default config with SSL certificate error?

Post Reply
droid1
Junior Member
Posts: 1
Joined: 15 Dec 2019, 12:21

UI not loading on default config with SSL certificate error?

Post by droid1 »

Just installed the latest csf on my Debian 10 setup and it works fine, the Web-UI is however showing a connection refused error. Checking the lf logs shows this error:

Code: Select all

Dec 15 12:15:04 xxxx lfd[6078]: UI: *Error* cannot open server on port 1026: Failed to load certificate from file (no PEM, DER or PKCS12) error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error, at line 8859 
Searching on internet it seems the certificate format is not something compatible on my linux installation. lfd and csf bot starts and run fine.
welkeini
Junior Member
Posts: 1
Joined: 25 Dec 2019, 16:14

Re: UI not loading on default config with SSL certificate error?

Post by welkeini »

droid1 wrote: 15 Dec 2019, 12:26 Just installed the latest csf on my Debian 10 setup and it works fine, the Web-UI is however showing a connection refused error. Checking the lf logs shows this error:

Code: Select all

Dec 15 12:15:04 xxxx lfd[6078]: UI: *Error* cannot open server on port 1026: Failed to load certificate from file (no PEM, DER or PKCS12) error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error, at line 8859 
Searching on internet it seems the certificate format is not something compatible on my linux installation. lfd and csf bot starts and run fine.
SAME THING TO ME
Thanks
Liteblue
mojocreator
Junior Member
Posts: 6
Joined: 03 Apr 2017, 00:05

Re: UI not loading on default config with SSL certificate error?

Post by mojocreator »

I am running into the exact same issue, new install, CSF/LFD are running and working fine but I get a certificate error. Is this a known issue or are we missing something? The UI directory has a key/crt but the error is asking for a PEM, DR or PKCS512. Converting the CRT to PEM doesn't work either.

Code: Select all

Jan 14 23:29:54 server lfd[13471]: UI: *Error* cannot open server on port 6857: Failed to load certificate from file (no PEM, DER or PKCS12) error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error, at line 9169
haniaro
Junior Member
Posts: 1
Joined: 22 Apr 2020, 19:01

Re: UI not loading on default config with SSL certificate error?

Post by haniaro »

I have the same issue on fresh installed centos 8 please help me

Code: Select all

Apr 22 20:59:03 localhost lfd[29189]: UI: *Error* cannot open server on port 6666: Failed to load certificate from file (no PEM, DER or PKCS12) error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error, at line 9358
webfizz
Junior Member
Posts: 3
Joined: 09 Feb 2016, 16:20

Re: UI not loading on default config with SSL certificate error?

Post by webfizz »

Same issue here - fresh install of CentOS 8 in a local environment (no domain), tried multiple ports, tried creating new certs, but no luck:

Code: Select all

Apr 27 09:27:20 localhost lfd[2146]: UI: *Error* cannot open server on port 9999: Failed to load certificate from file (no PEM, DER or PKCS12) error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error, at line 9374
I found this error message in file SSL.pm on many sites showing the source for SSL.pm:

Code: Select all

$havecert or return IO::Socket::SSL->error(
		"Failed to load certificate from file (no PEM, DER or PKCS12)");
alex_john_m
Junior Member
Posts: 1
Joined: 28 Apr 2020, 15:07

Re: UI not loading on default config with SSL certificate error?

Post by alex_john_m »

On my server I fixed this by deleting the existing certificate and key an generating a new self signed certificate and key

Code: Select all

rm -f /etc/csf/ui/server.key 
rm -f /etc/csf/ui/server.crt
openssl req -newkey rsa:2048 -nodes -keyout /etc/csf/ui/server.key -x509 -days 365 -out /etc/csf/ui/server.crt
csf -r
zav
Junior Member
Posts: 2
Joined: 14 May 2020, 09:10

Re: UI not loading on default config with SSL certificate error?

Post by zav »

I switched from APF to CSF many years ago. This year my admin tasks started to scale in a way that made me need to automate more. Ansible. And... CSF cluster. Part of learning how to cluster CSF made me curious about the UI. And my master node is CentOS 8 so I had the same error as OP and Google brought me here.

alex_john_m's solution works perfectly. If you prefer a Letsencrypt certificate for CSF UI, I can add the following to this thread:

TL;DR;
1) Install acme.sh
2) Issue a cert - I use DNS verification method so that I don't need to open any ports for the issue / renewal.
3) Tell acme.sh to deploy the key and fullchain cert to the CSF ui.

acme.sh will automatically install a renewal cron job. This cron job should renew the cert when needed, deploy the fresh certs to CSF and reload LFD.
Note that I implemented this today so I have not yet seem a successful renewal but based on my experience with acme.sh I am confident it will work 2 months down the track.


Details:

I use cloudflare as my DNS provider. If yours is different it may still be possible to tailor this to your provider if they have a DNS API.

Many are supported.

1) Generate Cloudflare API Token. Do not use your global API key. That was a thing years ago. Nowadays you can create more granular tokens with limited powers. The token currently needs access read access to Zone.Zone, and write access to Zone.DNS, across all Zones. There is work being done to do away with "all zones" access so that you can have a token that can only access the one zone in question but that is not ready yet. that is not ready yet.

2) Install curl, git and socat

3) Install acme.sh. Quick and dirty is

Code: Select all

curl https://get.acme.sh | sh
but I recommend the slower approach so you can inspect the script first rather than blindly execute a script off the internet.

Recommended:

Code: Select all

git clone https://github.com/acmesh-official/acme.sh.git
cd ./acme.sh
Now inspect it. If satisfied, run it

Code: Select all

./acme.sh --install
4) Logout and back in because it will have added a path to your .bashrc. Alternatively source your ~/.bashrc

5) In your bash shell export variables

Code: Select all

export CF_Token="PUT_YOUR_TOKEN_STRING_HERE"
export CF_Account_ID="PUT_YOUR_ACCOUNT_ID_STRING_HERE"
6) Assuming your fqdn for this install is csf.domain.tld, let's issue a cert:

Code: Select all

acme.sh --issue --dns dns_cf -d csf.domain.tld --keylength ec-384
If you are old school and have issues with elliptic curve cryptography leave out the --keylength ec-384 to request an RSA cert instead. I won't judge.

7) At this point acme.sh has your cert and created a cron job to keep renewing it. All of this without opening any ports for letsencrypt validation. But the cert isn't doing anything yet. We need the deploy action.

8)

Code: Select all

acme.sh --install-cert -d csf.domain.tld --ecc --key-file /etc/csf/ui/server.key  --fullchain-file /etc/csf/ui/server.crt --reloadcmd "systemctl restart lfd"
Again if you did not want elliptic curve cryptography in the previous step and have an RSA cert instead you need to modify the above by omitting the --ecc option.

This will copy the most current version of the cert chain and the matching private key to the relevant CSF UI files and restart LFD to make it take effect. It will also do it automatically any time the cert was automatically renewed!

We might be able to reload LFD rather than restart ? I have not tested yet.

This method also allows for wildcard certs to be issued but in my case there was no use for it because the CSF node running the UI will not run anything else.
Post Reply