unable to get local issuer certificate

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

unable to get local issuer certificate

Torsten Reinhard

Hi,


I´m running nginx/1.17.8 as a ReverseProxy, executed as Docker container via docker-compose.yaml.

version: '2'
services:
proxy:
image: nginx:1.17
container_name: nginx
restart: always
ports:
- "443:8443"
- "80:8080"

volumes:
- /data/nginx-conf:/etc/nginx/conf.d/

networks:
- webgateway

networks:
webgateway:
driver: bridge
driver_opts:
com.docker.network.driver.mtu: 1300


It´s configured to run secured, which is working fine. The servers being proxied are availabe at https, but currently the verification is turned off.The certificate used by the server is also valid, it´s a chain being built upon server->intermediate-root CA.


When turning it on, I always get

=> nginx    | 2020/03/19 12:37:50 [error] 6#6: *1 upstream SSL certificate verify error: (20:unable to get local issuer certificate) while SSL handshaking to upstream, client: 141.77.119.231, server: tam-ci.mygroup.net, request: “GET /sonarqube/ HTTP/2.0”, upstream: "https://10.248.117.61:443/sonarqube/", host: “tam-ci.mygroup.net”

Here´s my configuration:

location /sonarqube/ {
proxy_pass https://cvm23801.mygroup.net$request_uri;

# TODO needed here ?
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

# verify the Traefik certificate

# TODO need to use own client certificate ???
#proxy_ssl_certificate /etc/nginx/conf.d/tam-ci.pem;
#proxy_ssl_certificate_key /etc/nginx/conf.d/tam-ci.key;

proxy_ssl_trusted_certificate /etc/nginx/conf.d/mygroup-ca.pem;

proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;

#proxy_ssl_name tam-ci.bmwgroup.net;
proxy_ssl_verify on;
#proxy_ssl_server_name off;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;

proxy_read_timeout 1800;
proxy_connect_timeout 1800;
proxy_send_timeout 1800;
send_timeout 1800;
}


Any idea why I always see this error ? Or how to fix it?
The proxy_ssl_trusted_certificate is a valid certificate chain containing an Intermediata as well as a root certificate (in one file)

Thanx in advance,

Torsten

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: unable to get local issuer certificate

zakirenish
Did you get any fix for this. I am also having same problem.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,287423,288956#msg-288956

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx