英文:
Why is NGINX throwing `cannot load certificate "data:": PEM_read_bio_X509_AUX() Expecting: TRUSTED CERTIFICATE`?
问题
我正在尝试使用Django-Cookiecutter和Docker设置本地HTTPS开发环境。我严格按照文档中的说明使用mkcert进行操作;但是,我意识到需要额外的NGINX配置才能使.pem文件正常工作。在配置了我认为正确的设置之后,我现在遇到了来自NGINX的以下错误:
nginx.1 | 2023/05/24 20:56:23 [error] 37#37: *1 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:443
nginx.1 | 2023/05/24 20:56:23 [error] 42#42: *2 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:443
nginx.1 | 2023/05/24 20:56:23 [error] 40#40: *3 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:443
nginx.1 | 2023/05/24 20:56:23 [error] 39#39: *4 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:443
我已经花了将近10个小时的时间尝试解决这个问题,并且已经到了不知所措的地步。我尝试过其他人建议的每一个建议,但都没有改变我的问题,我已经耗尽了我认为相关的话题。
到目前为止,我尝试过的事情(非详尽列表):
- 无数次重新创建证书/密钥文件
- 无数次安装和重新安装
mkcert - 无数次重建我的Docker Compose
- 编辑、简化、测试了太多的NGINX配置
- 从头开始使用空白项目
以下是项目的相关部分:
nginx.conf(当前配置)
server {
listen 80;
server_name localhost;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/nginx/certs/localhost.pem;
ssl_certificate_key /etc/nginx/certs/localhost-key.pem;
location / {
proxy_pass http://django:8000; # Django Docker容器的名称
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
注意:由于NGINX不会自动接受来自mkcert的*.pem文件,因此添加了此部分。
docker-compose.yml(NGINX部分)
nginx:
build:
context: .
dockerfile: ./compose/local/nginx/Dockerfile
container_name: local_nginx
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
- ./certs:/etc/nginx/certs
depends_on:
- django
注意:django是我的Django应用程序。它正常工作。我可以在没有问题的情况下访问它,可以从NGINX容器中使用curl访问它。
./compose/local/nginx/Dockerfile
FROM jwilder/nginx-proxy:latest
RUN rm /etc/nginx/conf.d/default.conf
COPY ./compose/local/nginx/nginx.conf /etc/nginx/conf.d
注意:由于NGINX不会自动接受mkcert生成的*.pem文件,因此添加了此部分。
openssl x509 -text -noout -in localhost.pem
证书信息...
openssl rsa -in localhost-key.pem -check
RSA密钥正常
写入RSA密钥...
Chrome网页
英文:
I am attempting to setup a local HTTPS development environment using Django-Cookiecutter with docker. I followed the documentation to a tee using mkcert; however, I realized that additional NGINX configuration was necessary to get .pem files to work. After configuring what I believe to be the right settings, I am now encountering the following error from NGINX:
nginx.1 | 2023/05/24 20:56:23 [error] 37#37: *1 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:443
nginx.1 | 2023/05/24 20:56:23 [error] 42#42: *2 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:443
nginx.1 | 2023/05/24 20:56:23 [error] 40#40: *3 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:443
nginx.1 | 2023/05/24 20:56:23 [error] 39#39: *4 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:443
I have spent the better part of 10 hours trying to figure out how to fix this issue and have reached the point of spinning my wheels. Every suggestion I've tried from others has resulting in no change of my issue and I've exhaused what I believe to be relevant topics.
The things I've tried so far (non-exhaustive):
- Recreated the cert/key files countless times
- Installed and re-installed
mkcertcountless times - Rebuilt my docker compose countless times
- Edited, simplified, tested too many NGINX configs to count
- Started from scratch with a blank project
Here are the relevant portions of the project:
nginx.conf (current config)
server {
listen 80;
server_name localhost;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/nginx/certs/localhost.pem;
ssl_certificate_key /etc/nginx/certs/localhost-key.pem;
location / {
proxy_pass http://django:8000; # name of django docker container
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Note: This was added due to NGINX not automatically accepting *.pem files from mkcert.
docker-compose.yml (nginx portion)
nginx:
build:
context: .
dockerfile: ./compose/local/nginx/Dockerfile
container_name: local_nginx
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/tmp/docker.sock:ro
- ./certs:/etc/nginx/certs
depends_on:
- django
Note: django is my Django app. It works. I can reach it at localhost:8000 without issue and can curl it from the nginx container without issue.
./compose/local/nginx/Dockerfile
FROM jwilder/nginx-proxy:latest
RUN rm /etc/nginx/conf.d/default.conf
COPY ./compose/local/nginx/nginx.conf /etc/nginx/conf.d
Note: This was added due to NGINX not automatically accepting *.pem files from mkcert.
openssl x509 -text -noout -in localhost.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
99:0c:b3:f7:2a:8b:f9:f7:0f:90:69:8f:63:4c:2a:7f
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = mkcert development CA, OU = dakotahorstman@dur10469-ubuntu (Dakota Horstman), CN = mkcert dakotahorstman@dur10469-ubuntu (Dakota Horstman)
Validity
Not Before: May 24 20:52:44 2023 GMT
Not After : Aug 24 20:52:44 2025 GMT
Subject: O = mkcert development certificate, OU = dakotahorstman@dur10469-ubuntu (Dakota Horstman)
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:e7:d7:17:b3:a9:0e:a1:b0:57:68:32:06:71:7a:
c8:e1:c0:ec:1a:eb:8c:08:bd:12:ea:39:94:f9:8e:
12:85:45:7b:4a:e2:2b:80:17:b2:7d:b1:4b:75:1c:
da:42:3d:e3:0a:9e:8d:ca:61:c5:f1:fd:26:86:d4:
4e:79:c3:0e:7f:f5:ab:76:44:ac:12:16:0b:36:56:
7a:be:be:31:e3:68:cc:47:4e:18:75:4f:36:da:d1:
d6:50:a7:83:7d:4f:fe:60:c1:15:64:71:c4:a9:4d:
b1:74:d5:c5:51:20:9e:38:39:24:46:5b:6c:45:c3:
8e:71:e2:5b:e7:92:f6:0e:42:34:33:f4:e6:36:22:
c0:e2:fd:05:26:75:51:4a:13:23:a1:21:11:b1:88:
14:80:7a:56:70:81:aa:34:97:42:e7:cb:be:7d:e4:
69:cc:a9:e5:ec:42:2e:0b:6c:a9:d1:57:d8:5b:70:
9c:55:46:d0:bc:01:06:97:a2:15:e3:22:0c:32:67:
f0:99:64:a3:6f:41:33:da:ca:a4:c6:d7:09:a8:a8:
2c:26:45:88:09:e6:9f:4b:88:12:ca:de:6a:96:49:
29:49:c4:e0:45:f0:35:e9:de:c8:9b:c7:30:de:8a:
e0:fa:9b:fb:6e:e9:ee:60:78:06:7a:16:e7:6c:6a:
13:c3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Authority Key Identifier:
keyid:AB:28:4B:C0:36:99:06:7A:D5:FF:CA:EC:83:C6:1D:F3:B6:85:3F:17
X509v3 Subject Alternative Name:
DNS:localhost, IP Address:127.0.0.1
Signature Algorithm: sha256WithRSAEncryption
a5:12:82:ec:25:0b:e5:b5:99:dc:a6:60:a1:5c:f8:03:19:70:
41:10:0d:b8:04:ac:c8:be:7a:d5:b1:23:ce:db:06:0d:1e:98:
31:01:09:f4:00:5d:25:04:00:6c:c2:da:56:3b:f4:f4:5e:88:
4a:26:61:12:9c:34:74:22:b6:27:82:f9:39:35:cd:94:e1:c9:
a4:60:20:f1:d9:87:cb:4e:38:7b:9a:70:7d:82:48:7b:3c:ca:
38:e9:e7:e4:c0:89:73:a0:26:34:61:4d:12:90:f2:3a:ba:dd:
49:3b:cd:75:cb:0d:84:63:0e:4c:09:fe:b6:3b:5e:ea:2d:1d:
a4:04:63:9e:d4:e3:a8:d7:ee:ed:aa:90:9f:bc:26:fe:e3:49:
34:54:4d:82:a6:d2:c2:0c:ca:89:fd:b1:5b:62:4b:f0:c5:cb:
21:09:96:c4:55:88:17:7a:cb:53:ae:e8:83:18:a3:14:1c:87:
2d:7d:72:34:17:04:55:c6:cc:99:5a:92:88:fc:06:bf:08:6b:
b5:49:60:44:03:44:6b:7f:bc:7e:a1:b9:ec:aa:ef:e1:88:47:
3d:76:f0:c2:04:53:d0:57:32:f1:a5:5d:ac:53:e6:e8:a4:a4:
7f:2e:5b:bd:cd:d2:3c:c9:9f:ec:32:36:11:c1:b9:ba:a5:2f:
17:93:69:7e:bf:47:ae:74:2a:40:de:48:7f:f8:96:ce:de:72:
1d:28:27:64:7e:eb:e7:c4:44:77:01:82:6e:93:a2:a8:d3:89:
e7:8b:0a:6f:c5:a5:23:a1:a4:82:59:2f:63:6a:12:c6:50:80:
88:11:fb:38:e9:36:45:10:b9:6c:ba:c3:df:76:5e:fb:3d:c4:
05:67:62:45:3b:21:be:7b:5b:ee:e9:9c:4e:02:fd:03:5d:95:
6f:de:8e:e2:eb:93:b3:cb:90:ff:06:97:a3:1b:2a:5a:34:b3:
4d:de:ed:2e:01:ae:fc:88:9d:bf:37:98:78:40:56:a5:c9:98:
ad:45:e8:85:7d:19
openssl rsa -in localhost-key.pem -check
RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
Chrome Webpage
答案1
得分: 2
以下是翻译好的部分:
由于某种原因,jwilder/nginx-proxy:latest 镜像不起作用,而 nginx 镜像起作用。在不对任何其他文件进行任何更改的情况下,只需将 Dockerfile 更改如下即可。
FROM nginx
RUN rm /etc/nginx/conf.d/default.conf
COPY ./compose/local/nginx/nginx.conf /etc/nginx/conf.d
英文:
For whatever reason, the jwilder/nginx-proxy:latest image does NOT work, whereas the nginx image does. Without any changes to any other files, simply changing the Dockerfile to the below works.
FROM nginx
RUN rm /etc/nginx/conf.d/default.conf
COPY ./compose/local/nginx/nginx.conf /etc/nginx/conf.d
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论