[GH-ISSUE #663] Not possible to import custom certificate key using elliptic curve instead of rsa #559

New issue

Closed

opened 2026-02-26 06:33:23 +03:00 by kerem · 3 comments

kerem commented 2026-02-26 06:33:23 +03:00

Owner

Copy link

Originally created by @mkochenough on GitHub (Oct 16, 2020).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/663

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?

Yes

• Are you sure you're not using someone else's docker image?

Yes

• If having problems with Lets Encrypt, have you made absolutely sure your site is accessible from outside of your network?

I'm not using Lets Encrypt. This is for network internal usage.

Describe the bug

I used Nginx Proxy Manager v2.6.1.

I tried to add a custom certificate. I gave it a name and added its key and the certificate itself. After clicking "Save" the an error message is displayed:

Upload failed: Certificate Key is not valid (Command failed: openssl rsa -in /tmp/9c58b1f7-db1a-4806-bc91-fb6ee547fb32/tmp -check -noout 140620246457672:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:crypto/evp/p_lib.c:469: )

This is understandable is the key uses an elliptic curve instead of rsa. The problem is in backend/internal/certificate.js in the checkPrivateKey method. There an external command is executed with "openssl rsa -in ....".

Executing the same command locally on the key shows the same error. Exchanging "rsa" with "ec" solves the problem locally.

Somehow NPM should detect if an RSA or an EC key is used an use the proper command. Or just check EC if RSA failed before.

Originally created by @mkochenough on GitHub (Oct 16, 2020). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/663 **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? Yes - Are you sure you're not using someone else's docker image? Yes - If having problems with Lets Encrypt, have you made absolutely sure your site is accessible from outside of your network? I'm not using Lets Encrypt. This is for network internal usage. **Describe the bug** I used Nginx Proxy Manager v2.6.1. I tried to add a custom certificate. I gave it a name and added its key and the certificate itself. After clicking "Save" the an error message is displayed: Upload failed: Certificate Key is not valid (Command failed: openssl rsa -in /tmp/9c58b1f7-db1a-4806-bc91-fb6ee547fb32/tmp -check -noout 140620246457672:error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key:crypto/evp/p_lib.c:469: ) This is understandable is the key uses an elliptic curve instead of rsa. The problem is in backend/internal/certificate.js in the checkPrivateKey method. There an external command is executed with "openssl rsa -in ....". Executing the same command locally on the key shows the same error. Exchanging "rsa" with "ec" solves the problem locally. Somehow NPM should detect if an RSA or an EC key is used an use the proper command. Or just check EC if RSA failed before.

kerem 2026-02-26 06:33:23 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-02-26 06:33:24 +03:00

Author

Owner

Copy link

@MarceloLagos commented on GitHub (Oct 17, 2020):

The check is easy, but for some reason the validation of the result is empty (when I test) if ec is used in the openssl check.
let key_type = private_key.includes('-BEGIN RSA') ? 'rsa' : 'ec';
return utils.exec('openssl '+key_type+' -in ' + filepath + ' -check -noout')
.then((result) => {

The RSA check output is one line:
RSA key ok
while the EC check output is 2 lines:
read EC key
EC Key valid.

Whenever I check result when using ec, it's empty.
Any ideas?

Edit:
Just to clarify, I used the code above and then verified the error with the line below in the meantime:
if (!result.toLowerCase().includes('key ok') && !(result==="") ) {

<!-- gh-comment-id:711094292 --> @MarceloLagos commented on GitHub (Oct 17, 2020): The check is easy, but for some reason the validation of the result is empty (when I test) if ec is used in the openssl check. `let key_type = private_key.includes('-BEGIN RSA') ? 'rsa' : 'ec';` `return utils.exec('openssl '+key_type+' -in ' + filepath + ' -check -noout')` `.then((result) => {` The RSA check output is one line: `RSA key ok` while the EC check output is 2 lines: `read EC key` `EC Key valid.` Whenever I check `result` when using ec, it's empty. Any ideas? Edit: Just to clarify, I used the code above and then verified the error with the line below in the meantime: ` if (!result.toLowerCase().includes('key ok') && !(result==="") ) {`

kerem commented 2026-02-26 06:33:24 +03:00

Author

Owner

Copy link

@MarceloLagos commented on GitHub (Oct 18, 2020):

The problem was openssl command was throwing the EC validation output as error (even though is successful).
Adding 2>&1 at the end of the command will put error output in standard output and therefore the output will be captured either way. Also, the following string validation needs an additional condition since the message for EC keys doesn't contain "key ok".
I've created Pull #666 with these changes.

<!-- gh-comment-id:711122930 --> @MarceloLagos commented on GitHub (Oct 18, 2020): The problem was openssl command was throwing the EC validation output as error (even though is successful). Adding 2>&1 at the end of the command will put error output in standard output and therefore the output will be captured either way. Also, the following string validation needs an additional condition since the message for EC keys doesn't contain "key ok". I've created Pull #666 with these changes.

kerem commented 2026-02-26 06:33:24 +03:00

Author

Owner

Copy link

@mkochenough commented on GitHub (Oct 18, 2020):

@MarceloLagos You are right. Tested your branch and it works perfectly. Closing my pull request.

<!-- gh-comment-id:711157145 --> @mkochenough commented on GitHub (Oct 18, 2020): @MarceloLagos You are right. Tested your branch and it works perfectly. Closing my pull request.

kerem referenced this issue 2026-02-26 07:38:40 +03:00

[PR #559] [MERGED] Removed the hardcoded --webroot certbot argument to better support DNS challenge #3265

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#559

No description provided.