New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cannot load certificate, Expecting: TRUSTED CERTIFICATE #2287
Comments
Hello, I encounter currently the same issue 2023/08/21 15:31:51 [error] 40#40: *22 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 10.170.78.215, server: 0.0.0.0:443 |
I tested some images and I found all the new images build after this 1.2-alpine didn't works. |
Can confirm that release 1.3.1 has this behaviour, while release 1.3.0 does not. -- Correction -- |
Found a workaround, which does not correspond to what the README states. If you name the crt and key files as "default.crt" or "default.key" as per https://github.com/nginx-proxy/nginx-proxy/blob/main/nginx.tmpl#L14C77-L14C77, it seems to work fine with the latest version. So, either fix the template or update the README. |
I ran into this as well. Creating a default.crt and default.key fixed the issue. |
Would this solution still support multiple virtual hosts with ssl? What's the latest version that doesn't have the issue? I'm running into the same problem, thanks! |
I have the same issue with the latest version. Unfortunately using the |
HINT: Apparently I did something wrong in the first place. With
it worked. |
I've been unable to reproduce this, I've never had the issue with Let's Encrypt or ZeroSSL certificates, and I'm not certain what the issue is here. This error ( @osnard do you remember what command you used in the first place to produce the non working cert ? |
hi all , using version 1.3.0 worked |
I've encountered the same error while trying to use regular expression in the host together with wildcard certificate, with example compose file being below. So, if I tried to enter a non-regular expression host (for example latest-dap.localhost.markoivancic.from.hr), it worked. If I tried to enter regular expression host (for example abc-latest-dap.localhost.markoivancic.from.hr), ti would error out with "Expecting: TRUSTED CERTIFICATE". The solution which worked for me was to explicitly set the shared cert with CERT_NAME environment variable. services:
nginx-proxy:
restart: always
image: nginxproxy/nginx-proxy:latest
ports:
- 80:80
- 443:443
environment:
DEFAULT_HOST: localhost.markoivancic.from.hr
volumes:
- ./nginx-proxy/certs:/etc/nginx/certs
- /var/run/docker.sock:/tmp/docker.sock:ro
08.dap.test:
image: cicnavi/dap:08
container_name: 08.dap.test
restart: unless-stopped
expose:
- 80
- 443
user: ${CONTAINER_USER_ID}
environment:
VIRTUAL_HOST: >-
localhost.markoivancic.from.hr,
08.dap.test,
latest-dap.localhost.markoivancic.from.hr,
~^.+-latest-dap\.localhost\.markoivancic\.from\.hr$,
08-dap.localhost.markoivancic.from.hr,
~^.+-08-dap\.localhost\.markoivancic\.from\.hr$
CERT_NAME: localhost.markoivancic.from.hr
HTTPS_METHOD: noredirect
volumes:
- "./dap/08/html:/var/www/html" |
I generated my self-signed certificate using |
Was there a resolution to this? Seeing
with nginx-proxy:1.4. The certs are generated with certbot on the host machine and volume mapped with container.
|
@postelrich unfortunately there wasn't really any reproducible bug identified yet, see #2287 (comment) That probably won't change until someone provide a config and a non redacted, non production and disposable cert / key pair (or full command to generate one) that allow to reproduce the issue. |
@buchdag after looking further, my issue is that nginx-proxy is not picking up the ssl cert/key no matter what naming I try. If exec into the container, I can see the ssl configs are missing. If I manually add them in for the upstream server, it works. |
Could you:
? My guess at this point would be that you are mounting a host symlink inside the container. |
@buchdag it was a symlink since I'm using certbot. I think in my various attempts to get this working, I forgot that when I hardcoded I had mounted the linked directory too. Copying the generated pem files instead of symlinking to |
Glad you found the issue 👍 If I had to use certbot with nginx-proxy I think I would use the post renewal hook to put the certificates where they should be (with the correct name) and trigger docker-gen and/or reload the nginx config. The recommended way to get TLS certificate from an ACME CA with nginx-proxy is still to use nginx-proxy/acme-companion. |
@buchdag yea I tried acme-companion first but these sites are LAN only so couldn't do http challenge. |
I'm wondering if the network mode is part of the problem. In the original issue the network mode is host, which I believe binds the container to the host machine's IP address. I'm having a similar issue when using the driver_opts key in my networks definition where I have this: networks:
app-tier:
ipam:
config:
- subnet: 192.168.100.0/24
driver_opts:
# This binds this network's ports to the ip address defined by the BIND_IP
# environment variable.
com.docker.network.bridge.host_binding_ipv4: ${BIND_IP} The error in the logs shows that the proxy server upstream cannot get the value of "data(): 0.0.0.0:443" or something similar. The cert is included in the container in the appropriate location. Maybe this is something to check out? I have nearly identical setups in local and testing setups, with this binding being the main difference. Only this setup produces the errors. Note i'm currently using version 1.5.1 |
Cannot run HTTPS on the 1.3.1 image due to the following startup error:
nginx-proxy_1 | nginx.1 | 2023/08/18 15:59:31 [error] 46#46: *1 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: <IP>, server: 0.0.0.0:8881
This is the Docker compose to reproduce it:
For reference these are the crt and key files (REDACTED):
Tried using a crt file produced with
openssl x509 -in dtapi.domain.com.crt --trustout -out dtapi.domain.com.crt
without any change of output.The text was updated successfully, but these errors were encountered: