Welcome! Log In Create A New Profile

Advanced

unable to get local issuer certificate

Torsten Reinhard
March 23, 2020 06:08AM
Hi,


I´m running nginx/1.17.8 as a ReverseProxy, executed as Docker container via docker-compose.yaml.

version: '2'
services:
proxy:
image: nginx:1.17
container_name: nginx
restart: always
ports:
- "443:8443"
- "80:8080"

volumes:
- /data/nginx-conf:/etc/nginx/conf.d/

networks:
- webgateway

networks:
webgateway:
driver: bridge
driver_opts:
com.docker.network.driver.mtu: 1300


It´s configured to run secured, which is working fine. The servers being proxied are availabe at https, but currently the verification is turned off.The certificate used by the server is also valid, it´s a chain being built upon server->intermediate-root CA.


When turning it on, I always get

=> nginx | 2020/03/19 12:37:50 [error] 6#6: *1 upstream SSL certificate verify error: (20:unable to get local issuer certificate) while SSL handshaking to upstream, client: 141.77.119.231, server: tam-ci.mygroup.net, request: “GET /sonarqube/ HTTP/2.0”, upstream: "https://10.248..117.61:443/sonarqube/", host: “tam-ci.mygroup.net”

Here´s my configuration:


location /sonarqube/ {
proxy_pass https://cvm23801.mygroup.net$request_uri;

# TODO needed here ?
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

# verify the Traefik certificate

# TODO need to use own client certificate ???
#proxy_ssl_certificate /etc/nginx/conf.d/tam-ci.pem;
#proxy_ssl_certificate_key /etc/nginx/conf.d/tam-ci.key;

proxy_ssl_trusted_certificate /etc/nginx/conf.d/mygroup-ca.pem;

proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;

#proxy_ssl_name tam-ci.bmwgroup.net;
proxy_ssl_verify on;
#proxy_ssl_server_name off;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;

proxy_read_timeout 1800;
proxy_connect_timeout 1800;
proxy_send_timeout 1800;
send_timeout 1800;
}


Any idea why I always see this error ? Or how to fix it?
The proxy_ssl_trusted_certificate is a valid certificate chain containing an Intermediata as well as a root certificate (in one file)

Thanx in advance,

Torsten
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

unable to get local issuer certificate

Torsten Reinhard March 23, 2020 06:08AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 78
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready