failed to parse private key file

[ymschaap]

trafficstars

I followed the instructions outlined here to create a private key to be used for amppkg:

https://github.com/WICG/webpackage/tree/master/go/signedexchange

# Generate prime256v1 ecdsa private key.
openssl ecparam -out priv.key -name prime256v1 -genkey

I create a CSR, have it issued by digicert with CanSignHttpExchanges enabled (cert-chain.pem).

If I run locally with these amppkg.toml:

Port = 8080
CertFile = './pems/cert-chain.pem'
KeyFile = './pems/priv.key'
OCSPCache = '/tmp/amppkg-ocsp'

[[URLSet]]
  [URLSet.Sign]
    Domain = "this-is-my-domain.dev"

go run amppkg/main.go

I get:

failed to parse private key file

But I am able to sign again a CRS with that same private key again. And the file looks similar to this:

https://github.com/Warashi/try-amppackager/blob/8352bef109ca63eac1de58491edff44f66ec7d39/certs/server.privkey

Not sure what to try now. Anyone have any idea?

[twifkak]

Not sure. This seems like it should work.

The failed to parse private key file error means "I tried parsing all the PEM blocks and none of them looked like an EC private key." It's logged here:

https://github.com/ampproject/amppackager/blob/e4bf0430ba152cfe82ccf063df92021dfc0f26a5/packager/util/util.go#L60

If you're up for some mild Go coding, try adding a print statement just above that if statement, so you can see the intermediate errors. Perhaps that will reveal something?

[twifkak]

Alternatively, maybe try this approach for creating a private key:

https://github.com/oyorooms/deploy-amppackager-aws/#generating-ecdsa-key-and-csr-refer-this-article

[irori]

Perhaps the latest github.com/WICG/webpackage package is used, instead of the one in the vendor/ directory?

Recently we changed signedexchange.ParsePrivateKey() to take PEM text instead of decoded DER bytes (https://github.com/WICG/webpackage/pull/426/). Old code using this function still compiles (because function signature hasn't change), but fails at runtime.