unable to get local issuer certificate

Torsten Reinhard email at torstenreinhard.de
Mon Mar 23 10:06:08 UTC 2020 

Hi,


I´m running nginx/1.17.8 as a ReverseProxy, executed as Docker container via docker-compose.yaml.

version: '2'
services:
proxy:
image: nginx:1.17
container_name: nginx
restart: always
ports:
- "443:8443"
- "80:8080"

volumes:
- /data/nginx-conf:/etc/nginx/conf.d/

networks:
- webgateway

networks:
webgateway:
driver: bridge
driver_opts:
com.docker.network.driver.mtu: 1300


It´s configured to run secured, which is working fine. The servers being proxied are availabe at https, but currently the verification is turned off.The certificate used by the server is also valid, it´s a chain being built upon server->intermediate-root CA.


When turning it on, I always get

=> nginx    | 2020/03/19 12:37:50 [error] 6#6: *1 upstream SSL certificate verify error: (20:unable to get local issuer certificate) while SSL handshaking to upstream, client: 141.77.119.231, server: tam-ci.mygroup.net, request: “GET /sonarqube/ HTTP/2.0”, upstream: "https://10.248.117.61:443/sonarqube/", host: “tam-ci.mygroup.net”

Here´s my configuration:


location /sonarqube/ {
proxy_pass https://cvm23801.mygroup.net$request_uri;

# TODO needed here ?
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

# verify the Traefik certificate

# TODO need to use own client certificate ???
#proxy_ssl_certificate /etc/nginx/conf.d/tam-ci.pem;
#proxy_ssl_certificate_key /etc/nginx/conf.d/tam-ci.key;

proxy_ssl_trusted_certificate /etc/nginx/conf.d/mygroup-ca.pem;

proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;

#proxy_ssl_name tam-ci.bmwgroup.net;
proxy_ssl_verify on;
#proxy_ssl_server_name off;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;

proxy_read_timeout 1800;
proxy_connect_timeout 1800;
proxy_send_timeout 1800;
send_timeout 1800;
}


Any idea why I always see this error ? Or how to fix it? 
The proxy_ssl_trusted_certificate is a valid certificate chain containing an Intermediata as well as a root certificate (in one file)

Thanx in advance, 

Torsten
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20200323/852716dd/attachment.htm>

More information about the nginx mailing list