NGINX error after upgrade to 20.7.8

Started by firewall, January 19, 2021, 11:13:08 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions
February 10, 2021, 04:56:27 PM #30 Last Edit: February 10, 2021, 05:03:17 PM by muchacha_grande
Global Error Log is full of "signal process started" messages. One per minute.
HTTP Error Log have many of this messages:

If I select the appropriate CA:
1 upstream SSL certificate verify error: (2:unable to get issuer certificate) while SSL handshaking to upstream, client: x.x.x.x, server: cloud.xxxx.com, request: "GET /login HTTP/2.0", upstream: "https://y.y.y.y:443/login", host: "cloud.xxxx.com"

And if I uncheck all CAs the error is:
1 upstream SSL certificate does not match "upstream0768447a263a475ab813a0e17926c340" while SSL handshaking to upstream, client: x.x.x.x, server: cloud.xxxx.com, request: "GET /login HTTP/2.0", upstream: "https://y.y.y.y:443/login", host: "cloud.xxxx.com"
February 10, 2021, 05:05:15 PM #31 Last Edit: February 10, 2021, 05:34:34 PM by Fright
so verification works.
Quote(2:unable to get issuer certificate
nginx cannot build a chain to a trusted CA certificate from upstream cert
is the certificate of the certification authority in the trusted list?
how long is the chain from the root certificate to the upstream certificate?
February 10, 2021, 05:34:08 PM #32
Quoteupstream SSL certificate does not match "upstream0768447a263a475ab813a0e17926c340" while SSL
add upstream name from cert to **TLS: Servername override**
https://github.com/opnsense/docs/pull/305/files
February 10, 2021, 06:21:46 PM #33
Quote from: Fright on February 10, 2021, 05:34:08 PM
add upstream name from cert to **TLS: Servername override**
https://github.com/opnsense/docs/pull/305/files

This worked. So now I have no CA checked and with the server override.
Still not working if I check a CA.

Quote from: Fright on February 10, 2021, 05:05:15 PM
is the certificate of the certification authority in the trusted list?

It is. Is a Lets Encrypt certificate. I imported the CA and the certificate in OPNSense.

Quote from: Fright on February 10, 2021, 05:05:15 PM
how long is the chain from the root certificate to the upstream certificate?

It's a Lets Encrypt certificate directly signed by the Lets Encrypt authority.
February 10, 2021, 06:45:01 PM #34
QuoteLets Encrypt authority
LE CA is not root CA afaik
need to add DST Root CA X3 (or what is root CA for LE certs) to System: Trust: Authorities and select this CA in upstream
February 10, 2021, 07:13:19 PM #35
Quote from: Fright on February 10, 2021, 06:45:01 PM
LE CA is not root CA afaik
need to add DST Root CA X3 (or what is root CA for LE certs) to System: Trust: Authorities and select this CA in upstream

You are right. I checked the certificate chain and it ends at DST Root CA X3. So I did what you pointed out and now it's working.
Thank you very much @Fright for your help.

Best regards.
Print
Go Up Pages 1 2 3
User actions