Ruby & OpenSSL 3.0: Neither PUB key nor PRIV key: bad decrypt (OpenSSL::PKey::RSAError)

← Back

Such an innocent piece of code:

require 'openssl'
private_key = OpenSSL::PKey::RSA.new(File.read('my.key'), 'keypassword')

Producing such a cryptic error:

/usr/lib64/ruby/3.1.0/openssl/pkey.rb:356:in `initialize': Neither PUB key nor PRIV key: bad decrypt (OpenSSL::PKey::RSAError)
        from /usr/lib64/ruby/3.1.0/openssl/pkey.rb:356:in `new'
        from /usr/lib64/ruby/3.1.0/openssl/pkey.rb:356:in `new'

To give you some context, I have my Let’s Encrypt script based on acme-client gem and use a 4096-bit RSA key, because I’ve been using Let’s Encrypt for a while and back in the day, there were only RSA keys supported. However, after upgrade to OpenSSL 3.0, my script broke in a very sad way, as shown above.

Both surprised and not, the solution is to enable a “legacy provider” in OpenSSL. The linked blog post says everything, so just to summarise (and have a backup source of information), set these in /etc/ssl/openssl.cnf:

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

Tagged with: Ruby, OpenSSL

Written: 2024-01-13