opnsense Nginx, website on synology webstation

[RamSense]

Dear Fright,

I just sent you a PM with the info of openssl s_client -connect website.com:443
without TLS: Verify Certificate
and with TLS: Verify Certificate enabled.

Hope you can find what the problem is...

[Fright]

hi
please clarify: is this a client-nginx or client-synology connection? (in the example you sent, the server correctly transmitted its certificate and the certificate of an intermediate CA).
would like to see client-synology connection

[RamSense]

My system is Opnsense -> nginx -> synology (virtual hosts)

I disabled nginx, did a port forward to the synology and run openssl s_client -connect website.com:443

The output I have just sent in a PM to you.

[Fright]

hi
synology behavior looks correct.
looks like some kind of obvious error in nginx config that we are missing
sorry if I repeat myself, I understand correctly that now everything is working fine if upstream verification is enabled but no CA is specified in "TLS: Trusted Certificate"? and stops working if you specify a CA in the settings?
then it looks like just a wrong choice of CA in "TLS: Trusted Certificate". although then the error would have to be "20:unable to get local issuer certificate" imho

[RamSense]

Yes that is correct.
When I enable TLS Trusted certificate with the 3 cert than than only 1 site keeps working. The working one is the cert for the domain that is also the default cert on synology (by your earlier advice before the updated nginx, instead of using self signed cert for default cert on synology). The other 2 stop working with the mentioned error.
You mentioned earlier SNI that could cause problems if I remember correctly. Is that something?

[Fright]

You mentioned earlier SNI that could cause problems if I remember correctly. Is that something?

21.1.5 with 1.22 nginx plugin contains fixes for the mentioned problem
besides, if I understand correctly, the problems arise only when trying to narrow the number of trusted root CA's. if the problems were in SNI, then it would not work even with an empty "TLS Trusted certificate" field imho.
What trusted CAs do you specify in the "TLS Trusted certificate" field? maybe this is the problem?

[RamSense]

ok,
I specify the 3 domains on synology (and only 3 cert's used on synology). Those 3 have their own lets encrypt cert.
When I only TLS Trusted certificate the domain that is also used for the default synology cert, than there is no difference. that domain (lets say site1) keeps working, the other 2 don't.

When I add all 3 domains to TLS Trusted certificate, I get the same result. That one site (site 1) keeps working, and the other 2 don't.

I tried something further. When I TLS Trusted certificate 1 other domain, cert site 2, site 1 keeps working, 2 and 3 error

When I TLS Trusted certificate site 3, than again, only site 1 works.

this site 1 is also the domain mentioned in TLS: Servername override

So it looks like no matter wat I select in TLS Trusted certificate, only site 1 keeps working, suspiciously also the default synology cert

[Fright]

Hi
sorry, I still have the feeling that I did not fully understand your actions. for sites using LE certificates, the TLS Trusted certificate field should contain the certificate of the root certification authority that issued the certificate to the LE intermediate authority (that is, DST Root CA X3). what certificate do you specify for sites with LE certificates in TLS Trusted certificate?
maybe you can send screenshots?

[RamSense]

Maybe I did not understand it correctly than?

I have in opnsense under Trust - Authorities -> I have added the details of 3 LE chain.pem from the 3 domains.

Those site1chain.pem, site2chain.pem and site3chain.pem are the only 3 I can select at nginx-configuration-upstream-TLS: Trusted Certificate

But your text

DST Root CA X3

: do you mean that I only select 1 chain.pem? and that that is the info from LE? So in opnsense I ad one more Trust Authoritie Like from this url: https://letsencrypt.org/certs/trustid-x3-root.pem.txt
and I select that one in TLS: Trusted Certificate?

Or ?

---- addon
I added the info from https://letsencrypt.org/certs/trustid-x3-root.pem.txt to opnsense trust-authorities and than selected in nginx - configuration - upstream - TLS: Trusted Certificate -<selected this trustid-x3 I just added to opnsense>

And all the 3 sites work like it should. I hope I did follow you correctly and this was what I was doing wrong. (?)

[Fright]

hi
glad it works

I hope I did follow you correctly and this was what I was doing wrong. (?)

may be  those  "site1chain.pem, site2chain.pem and site3chain.pem" did not contain the  root cert?
then this could be the reason

[RamSense]

Well it works, or it looks like it works :-) (is there a verification method?)
What I do not understand is that with the site1chain.pem, site2chain.pem and site3chain.pem and no matter what chain pem I selected in TLS: Trusted Certificate, only the default synology cert, say site1chain.pem, kept working and not the other 2.... Was it than not more "logic" that also site1 should stop working when selecting one of those in TLS: Trusted Certificate than also??

may be  those  "site1chain.pem, site2chain.pem and site3chain.pem" did not contain the  root cert?

How can I verify this? I have those Letsencrypt certs created in synology for that specific domain/site. Than I have exported the cert and put the info in opnsense trust authorities and certificate. 

[Fright]

I have those Letsencrypt certs created in synology for that specific domain/site

then it probably is. the chain on the server usually does not need to contain the root certificate. only endpoint certificate and intermediate authority certificate

How can I verify this?

can try to look in pem-file. does it contain certificate from https://letsencrypt.org/certs/trustid-x3-root.pem.txt ?

Well it works, or it looks like it works :-) (is there a verification method?)

can try to change certificate on web-server to some non-LE or cert with CN\SAN that does not match the TLS: Servername override field and check the result )

[RamSense]

thnx for explaining.

can try to look in pem-file. does it contain certificate from https://letsencrypt.org/certs/trustid-x3-root.pem.txt ?

-> no the info from the pem-file is different than the info in https://letsencrypt.org/certs/trustid-x3-root.pem.txt

can try to change certificate on web-server

I changed the cert on the synology part to a self signed cert for a domain, but no difference. The site loaded with the correct LE cert for that domain... Than I changed the cert in opnsense-nginx-HTTPserver to a cert for another domain, so like I gave site2 the cert for site1. And loaded the site. Then I noticed that the site was given the cert1. So that change worked... Can it be that nginx on the opnsense part overrides / makes synology cert obsolete?

[Fright]

Can it be that nginx on the opnsense part overrides / makes synology cert obsolete?

when a client accesses the site through a nginx, client sees the certificate that nginx provides. only the nginx itself "sees" the certificate that upstream provides.

I changed the cert on the synology part to a self signed cert for a domain, but no difference

if you change the certificate on synology web to a certificate with mismatched (with TLS: Servername override field) name (in CN\SAN) or not signed by a root from the list in TLS Trusted certificate, access to the site through nginx should stop working

[RamSense]

if you change the certificate on synology web to a certificate with mismatched (with TLS: Servername override field)

that was it! as long as the cert for the server name override was correct, the site keeps working. when I set that (with TLS: Servername override field) to the changed site with wrong cert, the site stopped working as you described and as should.
Thnx! I understand now how it works.

I have now also changed the default cert for synology back to the self signed cert and there sites keep working as they should. Great Feeling!

And thank you for making those updates to opnsense/nginx.