Heroku ssl certs: Key could not be read since it's protected by a passphrase

Question

I am having trouble generating ssl certs that Heroku will accept for secure.mydomain.com. I'm using DNSimple, Cedar Stack, and following the instructions here: https://devcenter.heroku.com/articles/ssl-certificate

1. Copy server.key & server.orig.crt from DNSimple
2. Get root CA certificate with $ curl https://knowledge.rapidssl.com/library/VERISIGN/ALL_OTHER/RapidSSL%20Intermediate/RapidSSL_CA_bundle.pem > rapidssl_bundle.pem
3. Concatenate into one file with cat server.orig.crt rapidssl_bundle.pem > server.crt

So now I have the server.key & server.orig.crt files, which I try to upload to Heroku with $ heroku certs:add server.crt server.key. This gives the error

Key could not be read since it's protected by a passphrase.

The docs above don't mention anything about removing the passphrase from the server.key file. So I dug around and found the docs here: https://devcenter.heroku.com/articles/ssl#customdomain-ssl. I'm running these commands between #1 and #2 above:

1b. $ mv server.key server.orig.key

1c. $ openssl rsa -in server.orig.key -out server.key

However this gives the error

unable to load Private Key
47930:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-47/src/crypto/pem/pem_lib.c:648:Expecting: ANY PRIVATE KEY

Which I suspect means there is no private key found.

Anyone know what is the issue here? Is this a Heroku issue or an openssl issue (or a DNSimple issue)?

Answer 1

This is really stupid, but as far as I can tell there was an issue with using TextEdit in Mac OS to save the initial server.key and server.orig.crt files.

I used TextMate instead and everything is working fine.

Answer 2

I just struggled mightily with a nearly identical problem installing SSL Certs on a Heroku app with DNSimple and RapidSSL, and want to post my solution here in case someone with a similar problem comes across this response.

I had followed the directions from everywhere on SO and Heroku dev center to install certs through DNSimple and RapidSSL, but every time I tried to add the certs with the command:

$ heroku certs:add server.crt bundle.pem server.key

no matter what I did, I got this error:

$ Adding SSL Endpoint to mysite... failed
 !    Key could not be read since it's protected by a passphrase.
 !    Read instructions on how to remove the passphrase on:
 !    http://www.madboa.com/geek/openssl/#key-removepass`

I knew the key didn't have a passphrase (because I went through that process multiple times) but it still didn't want to add them. I did two things that ultimately got it working though I'm not sure which one was the clincher.

First, I made sure to download the proper PEM file under the Apache, Plesk & CPA box from the RapidSSL email link to Intermediate certificates.

The second thing was to verify my Heroku toolbelt installation by going through the steps here: https://devcenter.heroku.com/articles/heroku-command#installing-the-heroku-cli

Turns out I was still using the gem and had to uninstall until I got to heroku-toolbelt, after which I tried adding the certs again and voila.

Answer 3

Struggled with this issue for days! Until I came across this thread and followed the upgrade advice. The first thing I had to do is

gem uninstall heroku --all

I answered 'Yes' to the keep executable question, because of another post I had read on stackoverflow. I then went to https://toolbelt.herokuapp.com/ and installed the toolbelt (even though heroku --version was saying that it was installed). Upgraded it to heroku-toolbelt 2.39.0. Retried the following command and it worked:

heroku certs:add cert.cer bundle.pem server.key

Maybe i'll finally get some sleep tonight :)

Answer 4

An old toolbelt installation was my problem on windows.

Even though heroku update changed the version number from 2.30.1 to 2.39.0, a heroku version showed it wasn't updating correctly for some reason.

I reinstalled the toolbelt from https://toolbelt.herokuapp.com/ and tried it again, and everything worked.

heroku version now says this for me, and the certs:add works correctly:

heroku-gem/2.39.0 (i386-mingw32) ruby/1.9.2

Answer 5

I now got the same error, even with a recent heroku/7.47.6 (from npm). The reason turned out to be that I got an elliptic-curve certificate from Let's Encrypt, the private key file contained:

-----BEGIN EC PRIVATE KEY-----

That's not supported according to https://devcenter.heroku.com/articles/acquiring-an-ssl-certificate:

Heroku only supports RSA keys for certs. Elliptic curve keys are not supported.

Once I obtained an RSA cert, it worked.

(specifically, dehydrated now defaults to --algo secp384r1, I had to provide --algo rsa. But the idea should be same with other tools/CAs, you need an RSA cert.)