NGINX error after upgrade to 20.7.8

[Marin BERNARD]

@marinbernard-pep06
hi.

upstream SSL certificate does not match "upstream5959918e46f84fbb8bbf02dc24f2bbc5"

since nginx plugin uses upstreams with uniform names, for verification to work you need specify the name in the "TLS: Servername override" field so that nginx compares the name in the certificate with this name, not with the name of the upstream with UID ("upstream5959918e46f84fbb8bbf02dc24f2bbc5" in your case). should work then.
this is not a bug, this is how it should work imho

Hi,
I don't think so: our config used to work before the update, and stopped working after. Our upstream references several upstream servers, each of them using an individual certificate matching its real host name. Forcing the use of a single SNI would mean re-issuing certificates for all those hosts. This is a no-go for us.

[Fright]

I don't think so: our config used to work before the update

its because upstream verifying not worked at all before 1.20 )
https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
proxy_ssl_verify directive was missing

Our upstream references several upstream servers, each of them using an individual certificate matching its real host name. Forcing the use of a single SNI would mean re-issuing certificates for all those hosts. This is a no-go for us.

yep, and if you want to verify upstreams or your upstreams strictly checks SNI headers (like WAP\ADFS do) you will have to make separate upstreams for each.

[Marin BERNARD]

yep, and if you want to verify upstreams or your upstreams strictly checks SNI headers (like WAP\ADFS do) you will have to make separate upstreams for each.

It seems nginx works quite differently than HAProxy regarding TLS validation. With nginx, the validated SNI is the one set on the upstream, not on the upstream server. HAProxy does exactly the contrary. This comment from the nginx support team might help people dealing with the same problem.

Thank you for your help!

[Fright]

With nginx, the validated SNI is the one set on the upstream, not on the upstream server.

technically nginx does it in the location block (or in server block for streams) (only the plugin GUI does it in upstream. imho there is logic in this, but is a little confusing)

HAProxy does exactly the contrary

it always takes time to switch brains when working with both)

[Tubs]

@Tubs
have you tried not to select CAs in TLS:Trusted Certificate in Upstream config page?
should work if upstream cert issued CAs is in trusted store on OPN and nginx is happy on cert check

I could not reproduce anymore.

One day after I went back to to nginx 1.19 opnsense automatically updated again to version 1.20. But it is running now. I guess the fix already was implemented.

The issue popped up again when I updated to 21.1.
Yes, when I untick "check trusted certificate" all is working again.

[Grossartig]

made a PR for quck fix
https://github.com/opnsense/plugins/pull/2198
works well on test VM

Hi -- doesn't look like this fix has made it in yet, correct? After updating to 20.7.8_4, I had to revert nginx to 2.19 again.

[Fright]

hi
yes. not ready yet
no need to revert. you can uncheck all CAs in "TLS: Trusted Certificate" for Upstreams or uncheck "TLS: Verify Certificate" temporary

[franco]

Fabian isn't responding at the moment.

I merged it now so it'll be in 21.1.1 ....


Sorry,
Franco

[Fright]

I hope everything is fine..forum profile shows activity today

thanks!!

[muchacha_grande]

After updating to 21.1.1 the problem is still there.
I've tested checking "TLS: Verify Certificate" with and without "TLS: Trusted Certificate".
For now I leave tls verification off.

Best regards...

[Fright]

@muchacha_grande
what is the exact error?

with and without "TLS: Trusted Certificate".

most likely a missconfig

[muchacha_grande]

Hi @Fright, I mean that I tested checking the appropriate CA and then unchecking all CAs as you pointed:

hi
yes. not ready yet
no need to revert. you can uncheck all CAs in "TLS: Trusted Certificate" for Upstreams or uncheck "TLS: Verify Certificate" temporary

Unchecking "TLS: Verify Certificate" is still the only workaround for me.

[Fright]

Hi
it is difficult to assume something without knowing the error
is it "upstream SSL certificate does not match" or "pem file not found".
pem-file generation should be fixed in 21.1.1.

[muchacha_grande]

Is there some log or debug information? I can check.

[Fright]

Services: Nginx: Logs::Global Error Log
Services: Nginx: Logs::HTTP Error Logs