I bought an SSL certificate from Godaddy for a web site. I added the files in the server and run the service and it just returns an error:
failed to find any PEM data in certificate input
I used cat to generate a server.pem file with all the files, even added a godaddy pem intermediate pem file they provide for a G2 Certificate Chain and nothing.
cat generated-private-key.txt > server.pem
cat 678f65b8a7391017.crt >> server.pem
cat gd_bundle-g2-g1.crt >> server.pem
cat gdig2.crt.pem >> server.pem
Using self signed certificate works but off course it's not usable in real world.
Code attempt 1:
log.Fatal(http.ListenAndServeTLS(fmt.Sprintf("%s:%d", configuration.HttpServer.Address, configuration.HttpServer.Port), "server.pem", "generated-private-key.txt", router))
Code attempt 2:
cert, err := tls.LoadX509KeyPair("server.pem","generated-private-key.txt")
if err != nil {
log.Fatalf("server: loadkeys: %s", err)
}
pem, err := ioutil.ReadFile("gd_bundle-g2-g1.crt")
if err != nil {
log.Fatalf("Failed to read client certificate authority: %v", err)
}
certpool := x509.NewCertPool()
if !certpool.AppendCertsFromPEM(pem) {
log.Fatalf("Can't parse client certificate authority")
}
tlsConfig := &tls.Config{
ClientCAs: certpool,
Certificates: []tls.Certificate{cert},
}
srv := &http.Server{
Addr: fmt.Sprintf("%s:%d", configuration.HttpServer.Address, configuration.HttpServer.Port),
Handler: router,
ReadTimeout: time.Duration(5) * time.Second,
WriteTimeout: time.Duration(5) * time.Second,
TLSConfig: tlsConfig,
}
log.Fatal(srv.ListenAndServeTLS("678f65b8a7391017.crt","generated-private-key.txt"))
Both give the same error.
I need to have this up and running as I already have the back-end done but now I just want to enable HTTPS for productive environment.
I've struggled with this myself and I think your issue here is that you need to process the keys before presenting for the http.Server, and you'll need to include the RootCA. I've downloaded an SSL from GoDaddy (using the Other option) and grabbed their gd_bundle-g2.crt RootCA from here. Once you've grabbed that, create a function like below (added a gist here):
func genTLS() (*tls.Config, error) {
caCert, err := ioutil.ReadFile("/home/sborza/gd_bundle-g2.crt")
if err != nil {
return nil, fmt.Errorf("read root cert: %s", err.Error())
}
// **** START PRIV KEY PROCESSING ****
clientBytes, err := ioutil.ReadFile("/home/sborza/sborza_dev.key")
if err != nil {
return nil, fmt.Errorf("read client priv key: %s", err.Error())
}
cb, _ := pem.Decode(clientBytes)
k, err := x509.ParsePKCS8PrivateKey(cb.Bytes)
if err != nil {
return nil, fmt.Errorf("parse client privkey: %s", err.Error())
}
clientKey, _ := x509.MarshalPKCS8PrivateKey(k)
clientKeyPEM := pem.EncodeToMemory(&pem.Block{
Type: "PRIVATE KEY",
Bytes: clientKey,
})
// **** END PRIV KEY PROCESSING ****
// **** START CERT PROCESSING ****
certBytes, err := ioutil.ReadFile("/home/sborza/sborza_dev.pem")
if err != nil {
return nil, fmt.Errorf("read client cert: %s", err.Error())
}
cbk, _ := pem.Decode(certBytes)
certs, err := x509.ParseCertificates(cbk.Bytes)
if err != nil {
return nil, fmt.Errorf("parse client cert: %s", err.Error())
}
clientCertPEM := pem.EncodeToMemory(&pem.Block{
Type: "CERTIFICATE",
Bytes: certs[0].Raw,
})
// **** END CERT PROCESSING ****
// **** START TLS CONFIG ****
cert, err := tls.X509KeyPair(clientCertPEM, clientKeyPEM)
if err != nil {
return nil, fmt.Errorf("tls key pair: %s", err.Error())
}
caCertPool := x509.NewCertPool()
if ok := caCertPool.AppendCertsFromPEM(caCert); !ok {
return nil, fmt.Errorf("append cert: %s", err.Error())
}
return &tls.Config{
RootCAs: caCertPool,
Certificates: []tls.Certificate{cert},
}, nil
// **** END TLS CONFIG ****
}
Finally solved it, I had to combine both generated-private-key.txt and generated-csr.txt that Godaddy provided me into a single "server.key" file. Incredible what lack of knowledge of certain things end up wasting so much time. But I guess that's why were here, for the thrill of exploring. Thank you everyone for the help!
The issue was with the key file. This was the same key I used given by GoDaddy without any modification. The beginning of the file had some issue (like UTF-8 BOM at the start of the file or similar) as @SteffenUllrich mentioned. To fix this, I added an empty line just above the key file and it worked.
Finally, the key looks like:
<Empty line>
-----BEGIN RSA PRIVATE KEY-----
wlWPpSnGEdNjRapfW/6+xzjDVAaKC41c5b07OAviFchwqGI+88
aZGwBJnTgkbsLddddddd=
-----END RSA PRIVATE KEY-----