NGINX error after upgrade to 20.7.8

[firewall]

Hi all,

NGINX fails with the following message after I upgraded to 20.7.8:

SSL_CTX_load_verify_locations("/usr/local/etc/nginx/key/trust_upstream_***GUID***.pem") failed (SSL: error:0B084088:x509 certificate routines:X509_load_cert_crl_file:no certificate or crl found)

Any suggestions for how I might rectify?

[mimugmail]

opnsense-revert -r 20.7.7 os-nginx

Dies this fix it?

[Fright]

certificate validation of upstreams is working now. so nginx starts to load trust_upstream_* certs.
is pem-file in place?
whats your nginx config? (is it http or stream?)
(maybe a problem with setup.php? try to uncheck "tls verify" in upstream config or dont select any in TLS:Trusted cert)

[Tubs]

I have exactly the same issue. OpnSense updated to 20.1.8 and nginx is not starting anymore.

Code Select Expand

2021/01/20 22:03:14 [emerg] 95587#100595: SSL_CTX_load_verify_locations("/usr/local/etc/nginx/key/trust_upstream_228ce5a1-*****.pem") failed (SSL: error:0B084088:x509 certificate routines:X509_load_cert_crl_file:no certificate or crl found)

The file mentioned in the log file is not existing. But I have no glue how to figure out where it should belong to. I have a couple of upstream and a couple of server defined. So far nothing suspicious detected. But I have no idea where to search.

opnsense-revert -r 20.7.7 os-nginx

Dies this fix it?

Yes. In my case it helped. Nginx is running again.

[Fright]

made a PR for quck fix
https://github.com/opnsense/plugins/pull/2198
works well on test VM
@Tubs
have you tried not to select CAs in TLS:Trusted Certificate in Upstream config page?
should work if upstream cert issued CAs is in trusted store on OPN and nginx is happy on cert check

[firewall]

opnsense-revert -r 20.7.7 os-nginx

Dies this fix it?

It did, yes.  Thank you @mimugmail!! 

Hopefully the pull mentioned above will address whatever the issue was during future version upgrades.

[muchacha_grande]

As a workaround I turned off "TLS: Verify Certificate" on the upstream. It is not recomended, but...

[mimugmail]

made a PR for quck fix
https://github.com/opnsense/plugins/pull/2198
works well on test VM
@Tubs
have you tried not to select CAs in TLS:Trusted Certificate in Upstream config page?
should work if upstream cert issued CAs is in trusted store on OPN and nginx is happy on cert check

Thx, wasn't aware kulikov is you :)

[Fright]

Thx, wasn't aware kulikov is you

;D thinking about changing name on forum (i don't even remember where it came from once) ;)

[mimugmail]

Dont ask me about "mimugmail" :P

[Tubs]

@Tubs
have you tried not to select CAs in TLS:Trusted Certificate in Upstream config page?
should work if upstream cert issued CAs is in trusted store on OPN and nginx is happy on cert check

I could not reproduce anymore.

One day after I went back to to nginx 1.19 opnsense automatically updated again to version 1.20. But it is running now. I guess the fix already was implemented.

[Fright]

@Tubs
hmm. a little weird. I think that for this it was necessary either to press "check for updates" or execute "# opnsense-revert os-nginx". and there was no fix yet.
but glad it works anyway)
@mimugmail

Dont ask me about "mimugmail"

;D ;)

[Tubs]

@Tubs
hmm. a little weird. I think that for this it was necessary either to press "check for updates" or execute "# opnsense-revert os-nginx".

It is possible that I have done this. If so, for a different reason. I cannot remember. But in every case I did not confirmed any upgrade process.

[Marin BERNARD]

Hi,

We're experimenting another (probably related) issue since the update to 20.7.8. The log states:

Code Select Expand


*1 upstream SSL certificate does not match "upstream5959918e46f84fbb8bbf02dc24f2bbc5" while SSL handshaking to upstream, client: 10.6.97.138, server: server.domain, request: "GET / HTTP/2.0", upstream: "https://10.6.105.115:443/", host: "server.domain:444"


I disabled certificate validation but did not revert to a previous version. Certificate validation is failing even when no specific CA is selected in the UI. The whole TLS chain is already present in OPNsense certificate store. The only constraint we add is chain depth = 2. Removing it does not help either.

[Fright]

@marinbernard-pep06
hi.

upstream SSL certificate does not match "upstream5959918e46f84fbb8bbf02dc24f2bbc5"

since nginx plugin uses upstreams with uniform names, for verification to work you need specify the name in the "TLS: Servername override" field so that nginx compares the name in the certificate with this name, not with the name of the upstream with UID ("upstream5959918e46f84fbb8bbf02dc24f2bbc5" in your case). should work then.
this is not a bug, this is how it should work imho

---
but
if you use Name-based virtual hosts, then imho a situation is possible (depends on SNI implementation on backend) when this will not be enough and you will need to enable "TLS SNI Forwarding" on location but SNI does not work quite correctly for now (mentioned in the PR). waiting for review and permissions to add a SNI fix to PR to fix both issues at once