YAML Parser Error: could not found expected : in <unicode string>

Question

I'm facing difficulty when I am trying to upload an SSL certificate on Amazon EC2 instance. I have my private key and also server certificate obtained from CA. But when I configure it in .config file of apache and restart the server, it fails. When I validate the YAML format (http://yaml-online-parser.appspot.com/) it throws the below error,

while scanning a simple key
in "<unicode string>", line 51, column 1:
BQAwgYsxCzAJBgNVBAYTAlVTMRkwFwYD ... 
^
could not found expected ':'
in "<unicode string>", line 52, column 1:
MgYDVQQLEytDbG91ZEZsYXJlIE9yaWdp ... 
^

Below is my .config file syntax which is valid YAML format. It breaks with above error when I put my actual KEY and CERTIFICATE (PEM Format) Content here.

Resources:
sslSecurityGroupIngress: 
Type: AWS::EC2::SecurityGroupIngress
Properties:
  GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
  IpProtocol: tcp
  ToPort: 443
  FromPort: 443
  CidrIp: 0.0.0.0/0

packages:
 yum:
    mod_ssl : []

files:
/etc/httpd/conf.d/ssl.conf:
mode: "000644"
owner: root
group: root
content: |
  LoadModule ssl_module modules/mod_ssl.so
  Listen 443
  <VirtualHost *:443>
    <Proxy *>
     Order deny,allow
     Allow from all
    </Proxy>
ServerName            www.mydomain.com
SSLEngine             on
SSLCertificateFile    "/etc/pki/tls/certs/server.crt"
SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
SSLCipherSuite        EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol           All -SSLv2 -SSLv3
SSLHonorCipherOrder   On

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff

LogFormat "%h (%{X-Forwarded-For}i) %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
ErrorLog /var/log/httpd/elasticbeanstalk-error_log
TransferLog /var/log/httpd/elasticbeanstalk-access_log
</VirtualHost>

/etc/pki/tls/certs/server.crt:
  mode: "000400"
  owner: root
  group: root
  content: |
  -----BEGIN CERTIFICATE-----
MIID5jCCAs4CCQCNEX8DqNboazANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMC
SU4xEjAQBgNVBAgMCUthcm5hdGFrYTESMBAGA1UEBwwJQmVuZ2FsdXJ1MSwwKgYD
VQQKDCNCSFNBVkkgQ2FiIFNlcnZpY2VzIFByaXZhdGUgTGltaXRlZDELMAkGA1UE
CwwCSVQxGTAXBgNVBAMMECoudGF4aWNpcmNsZS5jb20xJzAlBgkqhkiG9w0BCQEW
GHByYXNoYW50aEBteW9mZmljZWNhYi5pbjAeFw0xNjAyMDgxNDQ1MzdaFw0xNzAy
MDcxNDQ1MzdaMIG0MQswCQYDVQQGEwJJTjESMBAGA1UECAwJS2FybmF0YWthMRIw
EAYDVQQHDAlCZW5nYWx1cnUxLDAqBgNVBAoMI0JIU0FWSSBDYWIgU2VydmljZXMg
UHJpdmF0ZSBMaW1pdGVkMQswCQYDVQQLDAJJVDEZMBcGA1UEAwwQKi50YXhpY2ly
Y2xlLmNvbTEnMCUGCSqGSIb3DQEJARYYcHJhc2hhbnRoQG15b2ZmaWNlY2FiLmlu
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvogqbCp8t0UcL9Uspcme
drEF4FBynok2YoSkPfMKBZQ+0m+079ecutxt7KvGlozdC5P6HddVD1xZwT9ZMqwK
kszBcmhlYLK5WUCkKHjjxyBaEkU6VTHhqr52oENRDahXoGpwlCxE7iSVSfHQ4wjI
ghjlxcaduLXoheIaDQ/GvS8XXR0+kajiTvdctXOdUogt+sAelfzqS3P5M2f45+DJ
/TuwgAvZExwzxD+pOr/PauEUmHFIqqXZPnMkE7GdaOI7aZlaotiz+7coxn0KPNPh
GvAwf+1CMTNq9ThCSRb/UuEKjCwLr7QtPEpi0ZlN8tK7brKNk/oCZjhzCTmCzDDT
mwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBICHhx4ozMBcBtUYss9/4Id0aN2GPr
eJLONRKp7gN60NfxiLdl3zI0pIwvrV5/J6mWdyHcGmbBm43bzpKiesG1k7q3ERhY
V7NahaXfMu+hdEtCnwrWgCQa7G1qGX6RyscgCIkBWq87RTAsJjMqXuGDFUiPUezj
12wPQXq0N5F7+abCM5KllZ3lTIuuWV/T5jxFH+SHV+hc5osrWZxipMEOYIG2Ndeg
/RTRO9QflHB/uN7ZaIZWsWHP0dPud6nX92xdWiknz6Sem3sm4698MKATeC6MSHq0
z9J//0wwLdGL5zGipAew6Yu6E/vexTaseQWCAkvN0urWDIJwU+3N2ls7
-----END CERTIFICATE-----

/etc/pki/tls/certs/server.key:
 mode: "000400"
 owner: root
 group: root
 content: |
  -----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAvogqbCp8t0UcL9UspcmedrEF4FBynok2YoSkPfMKBZQ+0m+0
79ecutxt7KvGlozdC5P6HddVD1xZwT9ZMqwKkszBcmhlYLK5WUCkKHjjxyBaEkU6
VTHhqr52oENRDahXoGpwlCxE7iSVSfHQ4wjIghjlxcaduLXoheIaDQ/GvS8XXR0+
kajiTvdctXOdUogt+sAelfzqS3P5M2f45+DJ/TuwgAvZExwzxD+pOr/PauEUmHFI
qqXZPnMkE7GdaOI7aZlaotiz+7coxn0KPNPhGvAwf+1CMTNq9ThCSRb/UuEKjCwL
r7QtPEpi0ZlN8tK7brKNk/oCZjhzCTmCzDDTmwIDAQABAoIBAQCRSVe//232elaS
CuXuzZ1uOHKYp/+e8FZuLWLockl0E6UL5m58bVdwDeIslJfr+SIdUAtrceXEvtEa
UOn9f77YThY83WpgoChB7M7Apd5a20qToAJpMI46Gt5uOqa12WZoRoHuGwu85FyK
dECqvunWepHLjDZ8wQm7/buLtjn/y3YVGkUvldBzjK56TnKIu6VOiDIHUdgGfR9T
LNZAnnoGQ49WDGy96n3bmBIbTCOGunNOhvnnQFR4XhN/Q9LuQqDb3tEGK8a2CpMM
JjHcAGdsJv3kTvmQDOUG0ety0mRvHhu4CZc3AVcRnvQ0e7l3p2d5SZ3YiXBtzEUb
8w5PejZRAoGBAN/ygKKdJ8Np8kPvIEwu3s8nBG0xbyO4Xkua6fsL/Ks8JbVQCucg
QWrAEL1d1L8nNCY1kxFU2nNk74pBwxXa4SdzcYHjLAnbu9YcrqxUM8tSESbytrzJ
ouYmbVDS7TlLzYGd6a5a42MMudVHhPKHkzbTW1/xeuseBGD5u9/VMv/FAoGBANnN
UD0yYYtdeonwhW7LIXyHAirs45gJ35Vvh89BeEOndEVgPWtSw9t6XQ69xWsAtlDU
G7I3Z9sNeb7cO1Z1au1NqaPgtihOrGCIIjRNKVBf9PuKIosbHy3wab6RuVMbumVw
rPC3sL31TKMzbMZH6FMRLT0DH7EWvEHNeBJxBVvfAoGAH8MWKXoenKGXIbl1nDh9
k2XWQ+Jh/+/zN8fl7Zw6ntKuCnQqx7MUdB5/gUwgk2ftBopMrIWbYghrzPEcySm9
C0pdS+27Xj6S+oAg6gIbQngGRL7h2g7DEt9aW78+tASjRgHulbMAUxkH9k7pdThz
UbBSYl4ub9BXEKX61nk3fX0CgYAt1sE5b/4Jl83vdBiRHd1ZWQzCvgKUgBd3WvbJ
Tu0hx/93jm6+xLeF3LXzIUuIXqkAT/PYSULpXmeuHKm8Y4/yi7LVU7jiuNQcqOoR
+d9lFBz6R7NHdZjVUVDgE8leTWqoaNNtAiwHfrX3bx5IiN/Dg8zyl1K3MaLDcpv/
vZu0HwKBgQCcJ4bw2MEeaJd6KY5pUu+g/rcId5SyIwzZyEwIJ6ai26Nw2pg3hbVv
x6VyMeI559AJevBdrCHx+5F0whaBnIw6/Ccld09+onrDD95lHdMtjvcZqKkX/dC3
rXdRtDphGUdjScgRnV1KL7KU/xgB0xQLYq/SrZSVuXrQB7bMQx/puA==
-----END RSA PRIVATE KEY-----

container_commands:
  killhttpd:
    command: "killall httpd"
  waitforhttpddeath:
    command: "sleep 3"

Any help is appreciated.

Answer 1

In YAML whitespaces and correct indentation is part of syntax.

In line 50 and 57, you need to add two additional spaces before multiline string. This way it won't be treated as key.

  -----BEGIN CERTIFICATE-----<my crt content>-----END CERTIFICATE----- # add two spaces in front

Same thing in line 57:

  -----BEGIN RSA PRIVATE KEY-----<my private key content>-----END RSA  PRIVATE KEY----- #two additional spaces in front

Answer 2

Your example file has multiple indentation issues that need more than two lines changed to get into acceptable YAML:

Resources:
  sslSecurityGroupIngress:
    Type: AWS::EC2::SecurityGroupIngress
Properties:
  GroupId: {"Fn::GetAtt" : ["AWSEBSecurityGroup", "GroupId"]}
  IpProtocol: tcp
  ToPort: 443
  FromPort: 443
  CidrIp: 0.0.0.0/0

packages:
  yum:
    mod_ssl : []

files:
  /etc/httpd/conf.d/ssl.conf:
    mode: "000644"
    owner: root
    group: root
    content: |
      LoadModule ssl_module modules/mod_ssl.so
      Listen 443
      <VirtualHost *:443>
        <Proxy *>
         Order deny,allow
         Allow from all
        </Proxy>
      ServerName            www.mydomain.com
      SSLEngine             on
      SSLCertificateFile    "/etc/pki/tls/certs/server.crt"
      SSLCertificateKeyFile "/etc/pki/tls/certs/server.key"
      SSLCipherSuite        EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
      SSLProtocol           All -SSLv2 -SSLv3
      SSLHonorCipherOrder   On

      Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
      Header always set X-Frame-Options DENY
      Header always set X-Content-Type-Options nosniff

      LogFormat "%h (%{X-Forwarded-For}i) %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
      ErrorLog /var/log/httpd/elasticbeanstalk-error_log
      TransferLog /var/log/httpd/elasticbeanstalk-access_log
      </VirtualHost>

  /etc/pki/tls/certs/server.crt:
    mode: "000400"
    owner: root
    group: root
    content: |
      -----BEGIN CERTIFICATE-----
      MIID5jCCAs4CCQCNEX8DqNboazANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UEBhMC
      SU4xEjAQBgNVBAgMCUthcm5hdGFrYTESMBAGA1UEBwwJQmVuZ2FsdXJ1MSwwKgYD
      VQQKDCNCSFNBVkkgQ2FiIFNlcnZpY2VzIFByaXZhdGUgTGltaXRlZDELMAkGA1UE
      CwwCSVQxGTAXBgNVBAMMECoudGF4aWNpcmNsZS5jb20xJzAlBgkqhkiG9w0BCQEW
      GHByYXNoYW50aEBteW9mZmljZWNhYi5pbjAeFw0xNjAyMDgxNDQ1MzdaFw0xNzAy
      MDcxNDQ1MzdaMIG0MQswCQYDVQQGEwJJTjESMBAGA1UECAwJS2FybmF0YWthMRIw
      EAYDVQQHDAlCZW5nYWx1cnUxLDAqBgNVBAoMI0JIU0FWSSBDYWIgU2VydmljZXMg
      UHJpdmF0ZSBMaW1pdGVkMQswCQYDVQQLDAJJVDEZMBcGA1UEAwwQKi50YXhpY2ly
      Y2xlLmNvbTEnMCUGCSqGSIb3DQEJARYYcHJhc2hhbnRoQG15b2ZmaWNlY2FiLmlu
      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvogqbCp8t0UcL9Uspcme
      drEF4FBynok2YoSkPfMKBZQ+0m+079ecutxt7KvGlozdC5P6HddVD1xZwT9ZMqwK
      kszBcmhlYLK5WUCkKHjjxyBaEkU6VTHhqr52oENRDahXoGpwlCxE7iSVSfHQ4wjI
      ghjlxcaduLXoheIaDQ/GvS8XXR0+kajiTvdctXOdUogt+sAelfzqS3P5M2f45+DJ
      /TuwgAvZExwzxD+pOr/PauEUmHFIqqXZPnMkE7GdaOI7aZlaotiz+7coxn0KPNPh
      GvAwf+1CMTNq9ThCSRb/UuEKjCwLr7QtPEpi0ZlN8tK7brKNk/oCZjhzCTmCzDDT
      mwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBICHhx4ozMBcBtUYss9/4Id0aN2GPr
      eJLONRKp7gN60NfxiLdl3zI0pIwvrV5/J6mWdyHcGmbBm43bzpKiesG1k7q3ERhY
      V7NahaXfMu+hdEtCnwrWgCQa7G1qGX6RyscgCIkBWq87RTAsJjMqXuGDFUiPUezj
      12wPQXq0N5F7+abCM5KllZ3lTIuuWV/T5jxFH+SHV+hc5osrWZxipMEOYIG2Ndeg
      /RTRO9QflHB/uN7ZaIZWsWHP0dPud6nX92xdWiknz6Sem3sm4698MKATeC6MSHq0
      z9J//0wwLdGL5zGipAew6Yu6E/vexTaseQWCAkvN0urWDIJwU+3N2ls7
      -----END CERTIFICATE-----

  /etc/pki/tls/certs/server.key:
   mode: "000400"
   owner: root
   group: root
   content: |
    -----BEGIN RSA PRIVATE KEY-----
    MIIEpAIBAAKCAQEAvogqbCp8t0UcL9UspcmedrEF4FBynok2YoSkPfMKBZQ+0m+0
    79ecutxt7KvGlozdC5P6HddVD1xZwT9ZMqwKkszBcmhlYLK5WUCkKHjjxyBaEkU6
    VTHhqr52oENRDahXoGpwlCxE7iSVSfHQ4wjIghjlxcaduLXoheIaDQ/GvS8XXR0+
    kajiTvdctXOdUogt+sAelfzqS3P5M2f45+DJ/TuwgAvZExwzxD+pOr/PauEUmHFI
    qqXZPnMkE7GdaOI7aZlaotiz+7coxn0KPNPhGvAwf+1CMTNq9ThCSRb/UuEKjCwL
    r7QtPEpi0ZlN8tK7brKNk/oCZjhzCTmCzDDTmwIDAQABAoIBAQCRSVe//232elaS
    CuXuzZ1uOHKYp/+e8FZuLWLockl0E6UL5m58bVdwDeIslJfr+SIdUAtrceXEvtEa
    UOn9f77YThY83WpgoChB7M7Apd5a20qToAJpMI46Gt5uOqa12WZoRoHuGwu85FyK
    dECqvunWepHLjDZ8wQm7/buLtjn/y3YVGkUvldBzjK56TnKIu6VOiDIHUdgGfR9T
    LNZAnnoGQ49WDGy96n3bmBIbTCOGunNOhvnnQFR4XhN/Q9LuQqDb3tEGK8a2CpMM
    JjHcAGdsJv3kTvmQDOUG0ety0mRvHhu4CZc3AVcRnvQ0e7l3p2d5SZ3YiXBtzEUb
    8w5PejZRAoGBAN/ygKKdJ8Np8kPvIEwu3s8nBG0xbyO4Xkua6fsL/Ks8JbVQCucg
    QWrAEL1d1L8nNCY1kxFU2nNk74pBwxXa4SdzcYHjLAnbu9YcrqxUM8tSESbytrzJ
    ouYmbVDS7TlLzYGd6a5a42MMudVHhPKHkzbTW1/xeuseBGD5u9/VMv/FAoGBANnN
    UD0yYYtdeonwhW7LIXyHAirs45gJ35Vvh89BeEOndEVgPWtSw9t6XQ69xWsAtlDU
    G7I3Z9sNeb7cO1Z1au1NqaPgtihOrGCIIjRNKVBf9PuKIosbHy3wab6RuVMbumVw
    rPC3sL31TKMzbMZH6FMRLT0DH7EWvEHNeBJxBVvfAoGAH8MWKXoenKGXIbl1nDh9
    k2XWQ+Jh/+/zN8fl7Zw6ntKuCnQqx7MUdB5/gUwgk2ftBopMrIWbYghrzPEcySm9
    C0pdS+27Xj6S+oAg6gIbQngGRL7h2g7DEt9aW78+tASjRgHulbMAUxkH9k7pdThz
    UbBSYl4ub9BXEKX61nk3fX0CgYAt1sE5b/4Jl83vdBiRHd1ZWQzCvgKUgBd3WvbJ
    Tu0hx/93jm6+xLeF3LXzIUuIXqkAT/PYSULpXmeuHKm8Y4/yi7LVU7jiuNQcqOoR
    +d9lFBz6R7NHdZjVUVDgE8leTWqoaNNtAiwHfrX3bx5IiN/Dg8zyl1K3MaLDcpv/
    vZu0HwKBgQCcJ4bw2MEeaJd6KY5pUu+g/rcId5SyIwzZyEwIJ6ai26Nw2pg3hbVv
    x6VyMeI559AJevBdrCHx+5F0whaBnIw6/Ccld09+onrDD95lHdMtjvcZqKkX/dC3
    rXdRtDphGUdjScgRnV1KL7KU/xgB0xQLYq/SrZSVuXrQB7bMQx/puA==
    -----END RSA PRIVATE KEY-----

container_commands:
  killhttpd:
    command: "killall httpd"
  waitforhttpddeath:
    command: "sleep 3"

All of the lines under a literal block style scalar ( introduced by the | in content: | need to be indented more than the initial letter of the previous line (i.e. more than the indentation of c).

And defining:

Resources:
sslSecurityGroupIngress:

will give Resources a value of None/null, if you want the value to be a mapping again you have to indent the key of that mapping.

Resources:
  sslSecurityGroupIngress: