I have big really big trouble. I tried many times to start nginx server as windows service after binding 2 websites which are hosted IIS by using kestrel but I couldn't achieve that,It creates below error. How can I solve this problem?I created certs with below codes:
openssl pkcs12 -in xyz.com.pfx -nocerts -out /xyzcert/xyz.com.pem
openssl rsa -in /certificate/xyz.pem -out /xyzcert/xyz.com.key
openssl x509 -outform der -in /xyzcert/xyz.com.pem -out
/xyzcert/xyz.com.crt
if I check my error log:
2019/05/31 13:58:14 [emerg] 8792#10088: no ssl_client_certificate for ssl_client_verify
2019/05/31 13:58:16 [emerg] 7324#8852: no ssl_client_certificate for ssl_client_verify
2019/05/31 13:58:20 [emerg] 8520#9928: no ssl_client_certificate for ssl_client_verify
Nginx.conf
http {
#...
upstream loadbalancer.xyz.com {
server staging1.xyz.com:996;
server staging2.xyz.com:997;
}
server {
listen 80;
server_name www.loadbalancer.xyz.com;
#...
location /upstream {
proxy_pass https://loadbalancer.xyz.com;
proxy_ssl_certificate /xyzcert/xyz.com.crt;
proxy_ssl_certificate_key /xyzcert/xyz.com.key;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_trusted_certificate /xyzcert/xyz.com.pem;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
}
}
server {
listen 443 ssl;
server_name staging1.xyz.com;
ssl_certificate /xyzcert/xyz.com.crt;
ssl_certificate_key /xyzcert/xyz.com.key;
ssl_trusted_certificate /xyzcert/xyz.com.pem;
location /yourapp {
proxy_pass http://staging1.xyz.com;
#...
}
}
server {
listen 443 ssl;
server_name staging2.xyz.com;
ssl_certificate /xyzcert/xyz.com.crt;
ssl_certificate_key /xyzcert/xyz.com.key;
ssl_trusted_certificate /xyzcert/xyz.com.pem;
location /yourapp {
proxy_pass http://staging2.xyz.com;
#...
}
}
}
So it means that I have some certification issue but I studied to solve that issue by creating certs like above. How can I start my loadbalancer by using my config. Or I have a some another issue to manage it.I need your great helps . Thank you.
Related
I have this setup of NGINX as a reverse proxy.
server {
listen 443 ssl;
server_name site1.example.com;
ssl_certificate /home/efwm/efwmsw/certificate/example.com.cer;
ssl_certificate_key /certificate/example.com.key;
location / {
proxy_pass http://127.0.0.1:8010;
}
}
server {
listen 443 ssl;
server_name site2.example.com;
ssl_certificate /certificate/example.com.cer;
ssl_certificate_key /certificate/example.com.key;
location / {
proxy_pass http://127.0.0.1:8020;
}
}
server {
listen 443 ssl;
server_name site3.example.com;
ssl_certificate /certificate/example.com.cer;
ssl_certificate_key /certificate/example.com.key;
location / {
proxy_pass http://192.168.1.50:8000;
}
}
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
For first two servers everything works fine but requests to third server get:ERR_CONNECTION_REFUSED.
I add that the first two services are contained in docker on the same server where NGINX runs, while the third is an autonomous server. Nothing is written in the error log. Of course I tried calling the exposed service on the third server and it works. Any suggestion is welcome. Thank you
I've asked for a certificate cerbot for my domain with the below command on my VPS (Debian) and I got it
sudo certbot --nginx -d mydomain.es
But, when I run my docker-compose file I get this error:
#1: cannot load certificate "/etc/letsencrypt/live/mydomain .es/fullchain.pem": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)
This is my docker-compose.yml
nginx_mn:
image: nginx:1.19
restart: on-failure
ports:
- 80:80
- 443:443
volumes:
- ./docker/nginx:/etc/nginx/conf.d
- ./certbot/conf:/etc/letsencrypt
- ./certbot:/etc/letsencrypt/live/mydomain.es/fullchain.pem
- ./certbot:/etc/letsencrypt/live/mydomain.es/privkey.pem
- ./certbot/www:/var/www/certbot
depends_on:
- web
certbot:
image: certbot/certbot
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h &
wait $${!}; done;'"
volumes:
- ./certbot/conf:/etc/letsencrypt
- ./certbot/www:/var/www/certbot
volumes:
certbot: null
and my default.conf
upstream server {
server web:8000;
}
server {
listen 80;
listen [::]:80;
server_name mydomain.es;
#Acme challenge link only needed for verifying domain to this ip address
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
return 301 https://$server_name$request_uri;
}
server {
listen 80;
listen [::]:80;
listen 443;
listen [::]:443 ssl;
root /apps/back;
server_name mydomain.es;
ssl_certificate /etc/letsencrypt/live/mydomain.es/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.es/privkey.pem;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log debug;
client_max_body_size 8M;
location / {
proxy_pass http://server;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
proxy_set_header X-Forwarded-Host $server_name;
}
}
I'm running nginx in my docker. As I run the app on the browser without ssl (port 443) it works. But when I add the below lines, gives and error.
listen 443;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/mydomain.es/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.es/privkey.pem;
We're actually trying to setup a simple Nginx config. But actually, we're losing our head on this conf as nginx is doing a strange job :
We've setted up 2 sub-domains on a clean Nginx install from yesterday :
Domain 1 :
upstream 430750ef-08ce-4463-bfae-88043ffc7c82-app {
server localhost:58033;
}
server {
listen 80;
listen [::]:80;
server_name 430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name 430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/430750ef-08ce-4463-bfae-88043ffc7c82.app.foobar.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass http://430750ef-08ce-4463-bfae-88043ffc7c82-app;
proxy_connect_timeout 1200;
proxy_send_timeout 1200;
proxy_read_timeout 1200;
send_timeout 1200;
client_max_body_size 100M;
}
}
Domain 2 :
upstream 820528fd-a13f-496a-b124-8973f4367db6-app {
server localhost:58033;
}
server {
listen 80;
listen [::]:80;
server_name 820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name 820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
location / {
proxy_pass http://820528fd-a13f-496a-b124-8973f4367db6-app;
proxy_connect_timeout 1200;
proxy_send_timeout 1200;
proxy_read_timeout 1200;
send_timeout 1200;
client_max_body_size 100M;
}
}
Actually, we're having SSL problems on the domain 2 : Firefox (and chrome aswell) are saying that Domain 2 SSL certificate is not trusted, as the domain 2 is using the cert of domain 1 and is not reached by this one.
We can't understand why the server_name property is not working. From our point of view, nginx should be using the domain 2 cert when any visitor reach 820528fd-a13f-496a-b124-8973f4367db6.app.foobar.com .
1 more specification :
I've updated the server_names_hash_bucket_size to 512 as we're using long subdomains.
"FUN" fact :
When we rename the domain 2 config file from /etc/nginx/sites-enabled/820528fd-a13f-496a-b124-8973f4367db6.conf to /etc/nginx/sites-enabled/000-820528fd-a13f-496a-b124-8973f4367db6.conf, the right cert is served.
In that case, we're thinking that, for a reason that we couldn't find, nginx is using the filename as the server_name property, instead of the server_name prop we've setted up in the file, and for another reason only using the first config file found in /etc/nginx/sites-enabled.
Any ideas ?
Thanks for your support by the way,
Regards,
It's been two days that I've been trying to configure my website in https but nothing works.
Here is my configuration file :
worker_processes 1;
error_log logs/error.log info;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 9998 ssl;
server_name mysubdomain.domain.fr;
ssl_certificate "C:/path_to_cert.crt";
ssl_certificate_key "C:/path_to_rsa.rsa";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
On firefox I have PR_CONNECT_RESET_ERROR.
And with openssl -connect :
4384:error:0200274C:system library:connect:reason(1868):crypto\bio\b_sock2.c:110:
4384:error:2008A067:BIO routines:BIO_connect:connect error:crypto\bio\b_sock2.c:111:
connect:errno=0
Am I missing something?
Thank you in advance for your help
After several days of searching for the source of the problem, it turned out that it came from IIS installed on this computer and previously configured on this port which was blocking the connection.
I have openerp running on port 8069.
this is the nginx conf:
server {
listen 80;
listen [::]:80;
listen 443 default ssl;
server_name www.erp.mysite.hr;
ssl on;
ssl_certificate /etc/ssl/eco/erp_mysite_hr/erp_mysite_hr.crt;
ssl_certificate_key /etc/ssl/eco/erp_mysite_hr/erp_mysite_hr.key;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
if ($ssl_protocol = "") {
rewrite ^ https://$server_name$request_uri? permanent;
}
}
aand location goes here and port proxy which works...
and when access openerp, always is http unless specified in the url with https, that way it works, but it is not redirected to https automatically.
this is the link that i get
http://erp.mysite.hr/web/login?redirect=http%3A%2F%2Ferp.mysite.hr%2Fweb
Any idea what could be the problem?
Thanks
This should work correctly, any http request will be redirected to https, which will be taken later by the top block.
server {
listen 443 default ssl;
server_name www.erp.mysite.hr;
ssl on;
ssl_certificate /etc/ssl/eco/erp_mysite_hr/erp_mysite_hr.crt;
ssl_certificate_key /etc/ssl/eco/erp_mysite_hr/erp_mysite_hr.key;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
location / {
#do whatever you need here
}
}
server {
listen 80;
server_name www.erp.mysite.hr;
location / {
return 301 https://$host$request_uri$is_args$args;
}
}
First. Change your nginx code, second go to system parameters and change a parameter
web.base.url = "https://erp.mysite.hr"
to your url.
You can also add a parameter url freeze to prevent reloading of this attribute
web.base.url.freeze = True