TLS certificate for GUI access troubleshooting
Overview
Enabling HTTPS on the Monitor app requires two files, uploaded in Monitor - Access Tab:
| Field | What to upload | Accepted extensions |
|---|---|---|
| TLS certificate for GUI access | Your server certificate | .pem or .crt |
| TLS key for GUI access | The matching private key | .pem, .crt, or .key |
Both files must be provided together. The certificate must be in PEM format (the only accepted format). After saving, the app validates both files, verifies they match, and restarts the server with HTTPS enabled.
"The file does not appear to be a valid certificate"
This error appears during upload when the file content doesn't have the expected PEM format.
The certificate must start with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----.
The key must start and end with one of:
-----BEGIN PRIVATE KEY-----/-----END PRIVATE KEY-----(PKCS#8)-----BEGIN RSA PRIVATE KEY-----/-----END RSA PRIVATE KEY-----(RSA)-----BEGIN EC PRIVATE KEY-----/-----END EC PRIVATE KEY-----(EC)
Common causes
- The file is DER-encoded (binary format) even though it has a
.crtor.pemextension - The file is a Certificate Signing Request (CSR) instead of a signed certificate
- The file is a PKCS#12 bundle (
.p12/.pfx) - The file has extra content (whitespace, BOM, or metadata) before the certificate header
How to identify your file format
Open the file in a text editor.
Valid PEM certificate (accepted):
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAJC1HiIAZAiUMA0GCSqGSIb3Qq2FA...
(base64 lines)
-----END CERTIFICATE-----
DER-encoded / binary (rejected):
0�÷0��ɠ *†H†÷ ��0S1 0 U AU1...
CSR — not a certificate (rejected):
-----BEGIN CERTIFICATE REQUEST-----
MIICYDCCAUgCAQAwGzEZMBcGA1UEAwwQdGVzdC5leGFt...
-----END CERTIFICATE REQUEST-----
How to fix
-
Verify your certificate file
openssl x509 -in your_cert_file.crt -text -nooutIf this succeeds, the file is valid — check for extra whitespace or BOM characters before the header.
-
Convert from DER to PEM (if binary)
openssl x509 -inform DER -in cert.der -out cert.pem -outform PEM -
Extract from PKCS#12 bundle (if
.p12/.pfx)openssl pkcs12 -in bundle.p12 -clcerts -nokeys -out cert.pemTo also extract the private key:
openssl pkcs12 -in bundle.p12 -nocerts -nodes -out key.pem -
Remove extra content
If the file has whitespace, or other text before the header, open it in a text editor and remove everything before
-----BEGIN CERTIFICATE-----.
"Certificate and key mismatch"
This error appears after clicking Save. It means the certificate and private key you uploaded don't belong to the same key pair — the app compares their fingerprints and they don't match.
Common causes
- The key was generated for a different certificate
- The certificate was re-issued or renewed but the old key was uploaded
- The files were mixed up (e.g. a key from a staging environment paired with a production certificate)
How to verify they match
Run these two commands and compare the output:
openssl x509 -in cert.pem -pubkey -noout | openssl md5
openssl pkey -in key.pem -pubout | openssl md5
Both must output the same MD5 hash. If they differ, the files don't match — you need to upload the correct pair.
How to fix
Make sure both files originate from the same certificate generation process:
- If you generated a CSR and private key together, use that same private key with the certificate your CA signed from that CSR
- If you received a PKCS#12 bundle from your CA, extract both the certificate and key from the same bundle
"Invalid certificate format"
This error appears after clicking Save. The file has correct PEM headers but the content inside is corrupted or not a valid X.509 certificate.
Re-export the certificate from your CA and try again.
"No key provided"
Both the certificate and key fields are required. Upload the matching private key alongside the certificate.