Proxy pass and SSL certificates

Mephysto On Hell mephystoonhell at gmail.com
Thu May 3 08:30:20 UTC 2018 

Hello everyone,
I am using Nginx in a production environment since some years, but I am
almost a newbie with SSL certificates and connections. A the moment I have
a configuration with two levels:

1. A first level Nginx that operate as load balancer
2. Two second level Nginx: the first host a web site and it do not need a
SSL connection, the second hosts an Owncloud instance and it need a SSL
connection.

I am using Certbot and Let's Encrypt to generate signed certificates. A the
moment I have certificates installed in both levels and until last month
this configuration was working. After certificates renewal (every three
months) I am getting an ERR_CERT_DATE_INVALID and I can not access to
Owncloud. Only second level certificate has been renewed.

But if I try to connect directly to second level Nginx, I do not get any
error and I can access to Owncloud.

This is first level Nginx config:

upstream cloud {
        server 10.39.0.52;
}

upstream cloud_ssl {
        server 10.39.0.52:443;
}


server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name cloud.diakont.it cloud.diakont.srl;
        return 301 https://$server_name$request_uri;
}

server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;
        ssl on;
        server_name cloud.diakont.it cloud.diakont.srl;
        include snippets/cloud.diakont.it.conf;
        include snippets/ssl-params.conf;

        error_log  /var/log/nginx/cloudssl.diakont.it.error.log info;
        access_log /var/log/nginx/cloudssl.diakont.it.access.log;

        location / {
                proxy_pass https://cloud_ssl/;
                proxy_redirect default;
                proxy_set_header        X-Real-IP $remote_addr;
                proxy_set_header        X-Forwarded-For
$proxy_add_x_forwarded_for;
                proxy_set_header        Host $host;
        }
}


I would like to set first level Nginx to establish a SSL connection with
Owncloud without having to renew the certificates on both levels. Is it
possible? How do I have to change my config?

Thanks in advance.

Meph
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20180503/b447e2e5/attachment.html>

More information about the nginx mailing list