NGINX error after upgrade to 20.7.8

Started by firewall, January 19, 2021, 11:13:08 PM

Previous topic - Next topic
Print
Go Down Pages 1 2 3
User actions
January 25, 2021, 03:15:11 PM #15
Quote from: Fright on January 25, 2021, 10:13:13 AM
@marinbernard-pep06
hi.
Quoteupstream SSL certificate does not match "upstream5959918e46f84fbb8bbf02dc24f2bbc5"
since nginx plugin uses upstreams with uniform names, for verification to work you need specify the name in the "TLS: Servername override" field so that nginx compares the name in the certificate with this name, not with the name of the upstream with UID ("upstream5959918e46f84fbb8bbf02dc24f2bbc5" in your case). should work then.
this is not a bug, this is how it should work imho
Hi,
I don't think so: our config used to work before the update, and stopped working after. Our upstream references several upstream servers, each of them using an individual certificate matching its real host name. Forcing the use of a single SNI would mean re-issuing certificates for all those hosts. This is a no-go for us.
--
Marin BERNARD
System administrator
January 25, 2021, 03:22:09 PM #16 Last Edit: January 25, 2021, 03:25:03 PM by Fright
QuoteI don't think so: our config used to work before the update
its because upstream verifying not worked at all before 1.20 )
https://github.com/opnsense/plugins/blob/master/www/nginx/pkg-descr
proxy_ssl_verify directive was missing
QuoteOur upstream references several upstream servers, each of them using an individual certificate matching its real host name. Forcing the use of a single SNI would mean re-issuing certificates for all those hosts. This is a no-go for us.
yep, and if you want to verify upstreams or your upstreams strictly checks SNI headers (like WAP\ADFS do) you will have to make separate upstreams for each.
January 25, 2021, 04:06:41 PM #17
Quote from: Fright on January 25, 2021, 03:22:09 PM
yep, and if you want to verify upstreams or your upstreams strictly checks SNI headers (like WAP\ADFS do) you will have to make separate upstreams for each.
It seems nginx works quite differently than HAProxy regarding TLS validation. With nginx, the validated SNI is the one set on the upstream, not on the upstream server. HAProxy does exactly the contrary. This comment from the nginx support team might help people dealing with the same problem.

Thank you for your help!
--
Marin BERNARD
System administrator
January 25, 2021, 04:36:11 PM #18
QuoteWith nginx, the validated SNI is the one set on the upstream, not on the upstream server.
technically nginx does it in the location block (or in server block for streams) (only the plugin GUI does it in upstream. imho there is logic in this, but is a little confusing)
QuoteHAProxy does exactly the contrary
it always takes time to switch brains when working with both)
January 29, 2021, 03:23:57 PM #19
Quote from: Tubs on January 23, 2021, 04:58:11 AM
Quote from: Fright on January 20, 2021, 02:24:43 PM
@Tubs
have you tried not to select CAs in TLS:Trusted Certificate in Upstream config page?
should work if upstream cert issued CAs is in trusted store on OPN and nginx is happy on cert check

I could not reproduce anymore.

One day after I went back to to nginx 1.19 opnsense automatically updated again to version 1.20. But it is running now. I guess the fix already was implemented.

The issue popped up again when I updated to 21.1.
Yes, when I untick "check trusted certificate" all is working again.
January 31, 2021, 04:52:21 AM #20
Quote from: Fright on January 20, 2021, 02:24:43 PM
made a PR for quck fix
https://github.com/opnsense/plugins/pull/2198
works well on test VM

Hi -- doesn't look like this fix has made it in yet, correct? After updating to 20.7.8_4, I had to revert nginx to 2.19 again.
January 31, 2021, 07:29:27 AM #21
hi
yes. not ready yet
no need to revert. you can uncheck all CAs in "TLS: Trusted Certificate" for Upstreams or uncheck "TLS: Verify Certificate" temporary
January 31, 2021, 11:04:41 AM #22
Fabian isn't responding at the moment. :(

I merged it now so it'll be in 21.1.1 ....


Sorry,
Franco
January 31, 2021, 02:00:01 PM #23
I hope everything is fine..forum profile shows activity today

thanks!!
February 10, 2021, 02:11:58 AM #24
After updating to 21.1.1 the problem is still there.
I've tested checking "TLS: Verify Certificate" with and without "TLS: Trusted Certificate".
For now I leave tls verification off.

Best regards...
February 10, 2021, 04:14:51 AM #25
@muchacha_grande
what is the exact error?
Quotewith and without "TLS: Trusted Certificate".
most likely a missconfig
February 10, 2021, 02:25:41 PM #26
Hi @Fright, I mean that I tested checking the appropriate CA and then unchecking all CAs as you pointed:

Quote from: Fright on January 31, 2021, 07:29:27 AM
hi
yes. not ready yet
no need to revert. you can uncheck all CAs in "TLS: Trusted Certificate" for Upstreams or uncheck "TLS: Verify Certificate" temporary

Unchecking "TLS: Verify Certificate" is still the only workaround for me.
February 10, 2021, 02:31:45 PM #27
Hi
it is difficult to assume something without knowing the error
is it "upstream SSL certificate does not match" or "pem file not found".
pem-file generation should be fixed in 21.1.1.

February 10, 2021, 04:33:17 PM #28
Is there some log or debug information? I can check.
February 10, 2021, 04:35:50 PM #29
Services: Nginx: Logs::Global Error Log
Services: Nginx: Logs::HTTP Error Logs
Print
Go Up Pages 1 2 3
User actions