opnsense Nginx, website on synology webstation

[RamSense]

@Fabian
Strange things here. All was working fine until I did the update to opnsense 20.7.8. I read in the update file that there is nginx 1.20 included.
What happens is: Before the update: All nginx proxy to https website synology was working thanks to your help. I did an update to opnsense 20.7.8 last night and no other changes in config. Than after the update the website is no longer accessible.
I did another reboot of Opnsense, but still no difference. This error appears when going to the website url:
------
Server Error

Sorry, but something went wrong on our side.

There is nothing you can do except waiting until we fix the issue.
Web Application Protection by OPNsense
-----

What is going wrong? error in the update? or is there something with nginx 1.20 that I have to add in the configuration due to this update?

Thank you in advance for your help!

[Fright]

is upstream cert verify enabled?
is trusted cert defined?

[RamSense]

TLS: Verify Certificate -> enabled

TLS: Trusted Certificate -> nothing selected

[RamSense]

TLS: Verify Certificate -> when disabled the site loads again?

[Fright]

Trusted Certificate -> nothing selected

Verify Certificate -> when disabled the site loads again

good
is upstream cert\issuedCAs certs added to trusts on OPN?

[RamSense]

Under system - trust - authorities - domain chain pem listed
under system - trust - certificates - domain cert listed

before the update of opnsense site's it was working.....

[Fright]

before the update of opnsense site's it was working.

upstream verification didn't work until 1.20.
it would be great to know what the errors are in logs
is it "upstream SSL certificate verify error" or some..

domain chain pem listed

sorry, is it certs used by nginx or certs used by upstream (backend)?

[RamSense]

sorry,
cert for the upstream - configured under nginx - configuration - http server; TLS Certificate and Client CA Certificate selected with the cert of the domain running on synology webstation.

global error log is only showing : signal process started

" upstream verification didn't work until 1.20."
Maybe that is what I have to configure? How can I add this?

[Fright]

if I understood you correctly, since it starts to work with TLS:Verify unchecked, it should be something with upstream settings or plugin issue.
for now the plugin issue i know about is empty trust_upstream_*.pem files (and error on nginx loading so nginx not loads at all) when the trusted CA's is selected in TLS:Trusted certificate.
since you dont use it, I assume that your settings could not work with upstream verification. just before this function did not work in the plugin itself and it did not cause problems.
now it is enabled, but the settings do not allow the upstream certificate to be verified by nginx

global error log is only showing : signal process started

please look at Logs-HTTP Error logs-YourHTTPServer

Maybe that is what I have to configure? How can I add this?

its enabled by default. Configuration-Upstream-YourUpstream-AdvancedMode-TLS:Verify Certificate

[RamSense]

that is correct " when the trusted CA's is selected in TLS:Trusted certificate"
As soon as I select te ca's for the sites, and refresh nginx it stops!

is this a bug? is there a solution? So I understand I have to select the ca's and than it should work with upstream verification what was empty at my config and did work with version before 1.20. Now with 1.20 this is available and I have to select the upstream ca's and nginx stops working when added.

error log: I see those: upstream SSL certificate verify error: (20:unable to get local issuer certificate) while SSL handshaking to upstream, client:

[Fright]

is this a bug? is there a solution?

I hope @fabian is already aware of the problem and it will be fixed

Now with 1.20 this is available and I have to select the upstream ca's and nginx stops working when added

not really. the ability to select CA certificates in this field is provided to restrict trust to an upstream certificate to only selected CAs.
you can (and should imho. until bug will fixed) leave this field blank ("Nothing selected") and then the plugin will point nginx to the /etc/ssl/cert.pem file. i.e. all OS trusted roots plus CAs from System->Trust

unable to get local issuer certificate

it looks like the trust store is missing one or more CA certificates for your synology cert (may be Intermediate CA).

[RamSense]

humm.. So I have to leave " TLS: Trusted Certificate" blank for now and disable TLS: Verify Certificate?
and wait for the fix?

[Fright]

sorry for the unclear wording )
you can use upstream verify right now.
but only with blank " TLS: Trusted Certificate" (ie verify upstream cert against all trusts store: OS trusts and System->trust of opnsense)
"unable to get local issuer certificate" error is not a plugin error, but misconfiguration imho

[RamSense]

ah ok.. That sounds logic.
The fact that my site does give the error is than because the webserver has a cert that is not added in Opnsense?
I have all certs added (lets encrypt on my synology webstation) also to my opnsense. Only the internal synology cert is not on the opnsense. But can't see why that would cause the problem? and is internal / no authority /not lets encrypt.

[Fright]

Only the internal synology cert

sorry, where is this certificate used?
when you access your synology directly, what cert you see in your browser?
LE?
so  Let's Encrypt Authority and  DST Root CA X3 (or what root was used when cert was renewed) should be in System->Trust