<!DOCTYPE html>
<html><head>
<meta charset="UTF-8">
</head><body><p>Hi, <br></p><p><br></p><p>I´m running nginx/1.17.8 as a ReverseProxy, executed as Docker container via docker-compose.yaml. <br></p><p class="default-style"><span style="font-family: courier new, courier; font-size: 8pt;">version: '2'</span><br><span style="font-family: courier new, courier; font-size: 8pt;">services: </span><br><span style="font-family: courier new, courier; font-size: 8pt;"> proxy:</span><br><span style="font-family: courier new, courier; font-size: 8pt;"> image: nginx:1.17</span><br><span style="font-family: courier new, courier; font-size: 8pt;"> container_name: nginx</span><br><span style="font-family: courier new, courier; font-size: 8pt;"> restart: always</span><br><span style="font-family: courier new, courier; font-size: 8pt;"> ports:</span><br><span style="font-family: courier new, courier; font-size: 8pt;"> - "443:8443"</span><br><span style="font-family: courier new, courier; font-size: 8pt;"> - "80:8080"</span><br> <br><span style="font-family: courier new, courier; font-size: 8pt;"> volumes: </span><br><span style="font-family: courier new, courier; font-size: 8pt;"> - /data/nginx-conf:/etc/nginx/conf.d/</span><br></p><p class="default-style"><span style="font-family: courier new, courier; font-size: 8pt;">networks:</span><br><span style="font-family: courier new, courier; font-size: 8pt;"> - webgateway</span><br> <br><span style="font-family: courier new, courier; font-size: 8pt;">networks:</span><br><span style="font-family: courier new, courier; font-size: 8pt;"> webgateway:</span><br><span style="font-family: courier new, courier; font-size: 8pt;"> driver: bridge</span><br><span style="font-family: courier new, courier; font-size: 8pt;"> driver_opts:</span><br><span style="font-family: courier new, courier; font-size: 8pt;"> com.docker.network.driver.mtu: 1300 </span><br></p><p><br></p><p>It´s configured to run secured, which is working fine. The servers being proxied are availabe at https, but currently the verification is turned off.The certificate used by the server is also valid, it´s a chain being built upon server->intermediate-root CA.<br></p><p><br></p><p>When turning it on, I always get <br></p><pre class="code-java"><span style="font-family: courier new, courier;">=> nginx | 2020/03/19 12:37:50 [error] 6#6: *1 upstream SSL certificate verify error: (20:unable to get local issuer certificate) <span class="code-keyword">while</span> SSL handshaking to upstream, client: 141.77.119.231, server: tam-ci.mygroup.net, request: <span class="code-quote">“GET /sonarqube/ HTTP/2.0”</span>, upstream: </span><span class="code-quote"><span style="font-family: courier new, courier;">"https:<span class="code-comment">//10.248.117.61:443/sonarqube/"</span>, host: “tam-ci.mygroup.net”</span><br><br>Here´s my configuration:<br><br></span></pre><p class="default-style"><span style="font-family: courier new, courier; font-size: 8pt;">location /sonarqube/ {</span><br><span style="font-family: courier new, courier; font-size: 8pt;"> proxy_pass https://cvm23801.mygroup.net$request_uri;</span></p><p class="default-style"><span style="font-family: courier new, courier; font-size: 8pt;"># TODO needed here ?</span><br><span style="font-family: courier new, courier; font-size: 8pt;"> proxy_set_header Host $host;</span><br><span style="font-family: courier new, courier; font-size: 8pt;"> proxy_set_header X-Real-IP $remote_addr;</span><br><span style="font-family: courier new, courier; font-size: 8pt;"> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;</span></p><p class="default-style"><span style="font-family: courier new, courier; font-size: 8pt;"># verify the Traefik certificate</span></p><p class="default-style"><span style="font-family: courier new, courier; font-size: 8pt;"># TODO need to use own client certificate ???</span><br><span style="font-family: courier new, courier; font-size: 8pt;"> #proxy_ssl_certificate /etc/nginx/conf.d/tam-ci.pem;</span><br><span style="font-family: courier new, courier; font-size: 8pt;"> #proxy_ssl_certificate_key /etc/nginx/conf.d/tam-ci.key;</span><br> <br><span style="font-family: courier new, courier; font-size: 8pt;">proxy_ssl_trusted_certificate /etc/nginx/conf.d/mygroup-ca.pem;</span><br> <br><span style="font-family: courier new, courier; font-size: 8pt;"> proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;</span><br><span style="font-family: courier new, courier; font-size: 8pt;"> proxy_ssl_ciphers HIGH:!aNULL:!MD5;</span><br> <br><span style="font-family: courier new, courier; font-size: 8pt;"> #proxy_ssl_name tam-ci.bmwgroup.net;</span><br><span style="font-family: courier new, courier; font-size: 8pt;"> proxy_ssl_verify on;</span><br><span style="font-family: courier new, courier; font-size: 8pt;"> #proxy_ssl_server_name off;</span><br><span style="font-family: courier new, courier; font-size: 8pt;"> proxy_ssl_verify_depth 2;</span><br><span style="font-family: courier new, courier; font-size: 8pt;"> proxy_ssl_session_reuse on;</span><br> <br><span style="font-family: courier new, courier; font-size: 8pt;"> proxy_read_timeout 1800;</span><br><span style="font-family: courier new, courier; font-size: 8pt;"> proxy_connect_timeout 1800;</span><br><span style="font-family: courier new, courier; font-size: 8pt;"> proxy_send_timeout 1800;</span><br><span style="font-family: courier new, courier; font-size: 8pt;"> send_timeout 1800; </span><br><span style="font-family: courier new, courier; font-size: 8pt;"> } </span><br></p><pre class="code-java"><span class="code-quote"><br>Any idea why I always see this error ? Or how to fix it? <br>The proxy_ssl_trusted_certificate is a valid certificate chain containing an Intermediata as well as a root certificate (in one file)<br><br>Thanx in advance, <br><br>Torsten<br></span></pre></body></html>