Articles

Fix OpenSSL PEM_read_bio_X509 No Start Line Error (2026)

April 6, 2026 5 min read

The PEM_read_bio_X509 function is failing because it can’t find the expected -----BEGIN CERTIFICATE----- header in the data it’s trying to parse. This means the certificate file is either corrupted, incomplete, or not a PEM-encoded X.509 certificate at all.

Common Causes and Fixes

  1. Incomplete File Transfer (Most Common)

    • Diagnosis: Check the file size of your PEM file against the expected size. If you downloaded it, compare it to the source. If it was uploaded, check the original. For example, if you expect a 2KB certificate and your file is 500 bytes, it’s likely incomplete.
    • Fix: Re-transfer or re-download the certificate file, ensuring the entire file is transferred. For scp, use scp user@host:/path/to/cert.pem . and verify the size. For wget, ensure no download errors occurred and the file size matches the remote file.
    • Why it works: The PEM_read_bio_X509 function expects a specific header and footer structure. If the file is truncated, the header is missing, leading to the error. A complete transfer ensures all necessary bytes, including the header, are present.

  2. File Corruption

    • Diagnosis: Use a checksum tool (like md5sum or sha256sum) on the file locally and compare it to a known good checksum from the source. If they don’t match, the file is corrupted.
    • Fix: Obtain a fresh copy of the certificate from the original source. If you have a known good checksum, verify the new copy. For example, sha256sum mycert.pem and compare the output.
    • Why it works: File corruption can alter bytes within the file, including the header line, making it unreadable by the PEM parser. A fresh, uncorrupted copy will have the correct header.

  3. Incorrect Encoding (e.g., DER instead of PEM)

    • Diagnosis: Open the file in a text editor. If it contains human-readable text like -----BEGIN CERTIFICATE-----, it’s likely PEM. If it’s a jumble of binary characters, it might be DER. You can also try converting it and see if it errors: openssl x509 -in mycert.pem -inform PEM -text -noout. If this command fails with a similar "no start line" error, it’s a strong indicator.
    • Fix: If the certificate is in DER format, convert it to PEM. Use openssl x509 -inform DER -in mycert.der -out mycert.pem.
    • Why it works: PEM_read_bio_X509 specifically looks for the Base64-encoded PEM format, which starts with -----BEGIN CERTIFICATE-----. DER is a binary format that doesn’t have this header.

  4. Extra Characters Before the Header

    • Diagnosis: Carefully inspect the very beginning of the file using a hex editor or by printing the first 100 characters: head -c 100 mycert.pem. Look for any whitespace, control characters, or other text before the -----BEGIN CERTIFICATE----- line.
    • Fix: Remove any extraneous characters before the -----BEGIN CERTIFICATE----- line. You can often do this with sed: sed '1,/-----BEGIN CERTIFICATE-----/ s/^[ \t]*//' mycert.pem > clean_cert.pem (this example removes leading whitespace from the first line up to and including the BEGIN line, you might need to adjust if the extraneous characters are on a line before the BEGIN line). Or, more aggressively, awk '/-----BEGIN CERTIFICATE-----/{f=1} f' mycert.pem > clean_cert.pem.
    • Why it works: The PEM parser is very strict. Any characters, even whitespace or newlines, preceding the -----BEGIN CERTIFICATE----- line are considered invalid and will cause the parse to fail.

  5. Using the Wrong File (e.g., Private Key instead of Certificate)

    • Diagnosis: Open the file in a text editor. If it starts with -----BEGIN PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY-----, it’s a private key, not a certificate.
    • Fix: Ensure you are providing the correct certificate file to the function expecting an X.509 certificate. If you intended to load a private key, use PEM_read_bio_PrivateKey.
    • Why it works: PEM_read_bio_X509 is designed to parse X.509 certificate structures, which have a specific header (-----BEGIN CERTIFICATE-----). Private keys have different headers and structures.

  6. File Encoding Issues (e.g., UTF-16 instead of UTF-8)

    • Diagnosis: Use a tool like file to inspect the file encoding: file mycert.pem. If it reports something other than ASCII text or UTF-8, it might be the issue.
    • Fix: Convert the file to UTF-8. For example, if it’s UTF-16, you might use iconv -f UTF-16LE -t UTF-8 mycert.pem > mycert_utf8.pem.
    • Why it works: While PEM is typically ASCII, some systems might incorrectly encode the file, leading to parsing issues if the underlying library expects a specific character encoding for the text data.

  7. Missing Certificate Chain/Intermediate Certificates

    • Diagnosis: This is less about the start line error and more about subsequent errors or verification failures, but sometimes a malformed chain can lead to unexpected behavior. However, for PEM_read_bio_X509 specifically, a missing chain usually won’t cause a "no start line" error on the first certificate read unless the file itself is malformed. If you’re reading a file that should contain multiple certs and are getting this error on the first one, it’s likely one of the above. If you’re trying to load a chain and it fails on the second or third cert, check that each individual cert file in the chain has its own -----BEGIN CERTIFICATE----- header.
    • Fix: Ensure each certificate file in your chain is a valid PEM-encoded certificate with its own header and footer. Concatenate them correctly if they are separate files.
    • Why it works: Each certificate, even within a chain, must be individually parseable as a PEM-encoded X.509 certificate.

The next error you’ll likely encounter after fixing this is PEM_read_bio_X509: no end line if the certificate is truncated at the footer, or a verification error if the certificate itself is invalid or untrusted.

More Deep Dives in Tls Ssl

Want structured learning?

Take the full Tls-ssl course →