cannot load certificate, Expecting: TRUSTED CERTIFICATE #2287
Comments
|
Hello, I encounter currently the same issue 2023/08/21 15:31:51 [error] 40#40: *22 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 10.170.78.215, server: 0.0.0.0:443 |
|
I tested some images and I found all the new images build after this 1.2-alpine didn't works. |
|
Can confirm that release 1.3.1 has this behaviour, while release 1.3.0 does not. -- Correction -- |
|
Found a workaround, which does not correspond to what the README states. If you name the crt and key files as "default.crt" or "default.key" as per https://github.com/nginx-proxy/nginx-proxy/blob/main/nginx.tmpl#L14C77-L14C77, it seems to work fine with the latest version. So, either fix the template or update the README. |
|
I ran into this as well. Creating a default.crt and default.key fixed the issue. |
|
Would this solution still support multiple virtual hosts with ssl? What's the latest version that doesn't have the issue? I'm running into the same problem, thanks! |
|
I have the same issue with the latest version. Unfortunately using the |
|
HINT: Apparently I did something wrong in the first place. With it worked. |
|
I've been unable to reproduce this, I've never had the issue with Let's Encrypt or ZeroSSL certificates, and I'm not certain what the issue is here. This error ( @osnard do you remember what command you used in the first place to produce the non working cert ? |
|
hi all , using version 1.3.0 worked |
|
I've encountered the same error while trying to use regular expression in the host together with wildcard certificate, with example compose file being below. So, if I tried to enter a non-regular expression host (for example latest-dap.localhost.markoivancic.from.hr), it worked. If I tried to enter regular expression host (for example abc-latest-dap.localhost.markoivancic.from.hr), ti would error out with "Expecting: TRUSTED CERTIFICATE". The solution which worked for me was to explicitly set the shared cert with CERT_NAME environment variable. services:
nginx-proxy:
restart: always
image: nginxproxy/nginx-proxy:latest
ports:
- 80:80
- 443:443
environment:
DEFAULT_HOST: localhost.markoivancic.from.hr
volumes:
- ./nginx-proxy/certs:/etc/nginx/certs
- /var/run/docker.sock:/tmp/docker.sock:ro
08.dap.test:
image: cicnavi/dap:08
container_name: 08.dap.test
restart: unless-stopped
expose:
- 80
- 443
user: ${CONTAINER_USER_ID}
environment:
VIRTUAL_HOST: >-
localhost.markoivancic.from.hr,
08.dap.test,
latest-dap.localhost.markoivancic.from.hr,
~^.+-latest-dap\.localhost\.markoivancic\.from\.hr$,
08-dap.localhost.markoivancic.from.hr,
~^.+-08-dap\.localhost\.markoivancic\.from\.hr$
CERT_NAME: localhost.markoivancic.from.hr
HTTPS_METHOD: noredirect
volumes:
- "./dap/08/html:/var/www/html" |
|
I generated my self-signed certificate using |
|
Was there a resolution to this? Seeing with nginx-proxy:1.4. The certs are generated with certbot on the host machine and volume mapped with container. |
|
@postelrich unfortunately there wasn't really any reproducible bug identified yet, see #2287 (comment) That probably won't change until someone provide a config and a non redacted, non production and disposable cert / key pair (or full command to generate one) that allow to reproduce the issue. |
|
@buchdag after looking further, my issue is that nginx-proxy is not picking up the ssl cert/key no matter what naming I try. If exec into the container, I can see the ssl configs are missing. If I manually add them in for the upstream server, it works. |
|
Could you:
? My guess at this point would be that you are mounting a host symlink inside the container. |
|
@buchdag it was a symlink since I'm using certbot. I think in my various attempts to get this working, I forgot that when I hardcoded I had mounted the linked directory too. Copying the generated pem files instead of symlinking to |
|
Glad you found the issue 👍 If I had to use certbot with nginx-proxy I think I would use the post renewal hook to put the certificates where they should be (with the correct name) and trigger docker-gen and/or reload the nginx config. The recommended way to get TLS certificate from an ACME CA with nginx-proxy is still to use nginx-proxy/acme-companion. |
|
@buchdag yea I tried acme-companion first but these sites are LAN only so couldn't do http challenge. |
|
I'm wondering if the network mode is part of the problem. In the original issue the network mode is host, which I believe binds the container to the host machine's IP address. I'm having a similar issue when using the driver_opts key in my networks definition where I have this: networks:
app-tier:
ipam:
config:
- subnet: 192.168.100.0/24
driver_opts:
# This binds this network's ports to the ip address defined by the BIND_IP
# environment variable.
com.docker.network.bridge.host_binding_ipv4: ${BIND_IP}The error in the logs shows that the proxy server upstream cannot get the value of "data(): 0.0.0.0:443" or something similar. The cert is included in the container in the appropriate location. Maybe this is something to check out? I have nearly identical setups in local and testing setups, with this binding being the main difference. Only this setup produces the errors. Note i'm currently using version 1.5.1 |
Cannot run HTTPS on the 1.3.1 image due to the following startup error:
nginx-proxy_1 | nginx.1 | 2023/08/18 15:59:31 [error] 46#46: *1 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: <IP>, server: 0.0.0.0:8881This is the Docker compose to reproduce it:
For reference these are the crt and key files (REDACTED):
Tried using a crt file produced with
openssl x509 -in dtapi.domain.com.crt --trustout -out dtapi.domain.com.crtwithout any change of output.The text was updated successfully, but these errors were encountered: