nginx SSL no start line: expecting: TRUSTED CERTIFICATE
A "normal" certificate, once encoded in PEM will look like this:
-----BEGIN CERTIFICATE-----...-----END CERTIFICATE-----(the ... is Base64 encoding of a DER structure)
This is normally (with the associated key, typically in separate file) the thing needed by any TLS enabled application when it wants to show its identity to the remote end.
As a side note, since it seems to be popular (wrong) belief, the filename by itself, including the extension, has explicitly no consequences on the working (or not) status of the content. You can name your files foobar.42 and buzz.666 and if their content is valid they will work as well... of course maintenance by the human would be harder, hence the convention of using often .crt for a certificate (or .cert for non-DOS based constrained environments) and .key for a keyfile, and using typically the site name (for a website) or part of it for the name, such as example.com.crt.But again, those are only one possible set of conventions, and any program needing these files do not care about the name, just the content.Some are using the .pem extension also.
See https://en.wikipedia.org/wiki/X.509#Certificate_filename_extensions for all the above it has a good discussion/presentation of options.
Now in your case the error message was telling you it expected to have a content written as such:
-----BEGIN TRUSTED CERTIFICATE-----...-----END TRUSTED CERTIFICATE-----the only difference being the added TRUSTED keyword. But why, and when does it happen?
A certificate is signed by one "certificate authority" through one or more intermediates. This builds a chain of trust up to a root certificate, where the issuer is equal to the subject, this certificate signs itself.
You generated your certificate yourself, so this is a "self-signed" certificate, indistinguishable technically from a CA certificate, except that no system by default, including your own, will give trust to such certificate without specific configuration.
This is basically what the error message tells you: the application says it is loading a certificate based on your configuration that it can not validate (because it is self signed) and at the same time you did not explicitely configure it to trust it.
This may be different depending on the application or its version, because the guide at https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04 does basically the same thing as you and it works, but without showing the content of the certificate.
In your openssl call, if you add -trustout it will generate BEGIN TRUSTED CERTIFICATE instead of BEGIN CERTIFICATE. This may happen by default also, depending on how openssl is installed/configured on your system. On the contrary, you have -clrtrust.See the "Trust Settings" section of the openssl x509 command at https://www.openssl.org/docs/man1.1.0/apps/x509.html
Just expanding on @patrick's answer, this command can be used to convert a trusted cert to a normal one.
$ openssl x509 -in trusted.pem -clrtrust -out normal.pemNOTE: If there are multiple certs in your source file (trusted.pem in the above example) then you will have to do the same for all certs.
I stumbled upon the "Expecting: TRUSTED CERTIFICATE" issue today and found that in my case it was due to file encoding.
I removed header lines originating from PFX to PEM conversion, so the file would begin with -----BEGIN CERTIFICATE-----.Powershells Out-File stored the file as UTF8NoBOM by default.
OpenSSL couldn't read the file afterwards, until I changed it to ASCII encoding (by using Out-File -Encoding ascii)