Why is NGINX throwing `cannot load certificate "data:": PEM_read_bio_X509_AUX() Expecting: TRUSTED CERTIFICATE`?

huangapple go评论79阅读模式
英文:

Why is NGINX throwing `cannot load certificate "data:": PEM_read_bio_X509_AUX() Expecting: TRUSTED CERTIFICATE`?

问题

我正在尝试使用Django-Cookiecutter和Docker设置本地HTTPS开发环境。我严格按照文档中的说明使用mkcert进行操作;但是,我意识到需要额外的NGINX配置才能使.pem文件正常工作。在配置了我认为正确的设置之后,我现在遇到了来自NGINX的以下错误:

nginx.1     | 2023/05/24 20:56:23 [error] 37#37: *1 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:443
nginx.1     | 2023/05/24 20:56:23 [error] 42#42: *2 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:443
nginx.1     | 2023/05/24 20:56:23 [error] 40#40: *3 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:443
nginx.1     | 2023/05/24 20:56:23 [error] 39#39: *4 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:443

我已经花了将近10个小时的时间尝试解决这个问题,并且已经到了不知所措的地步。我尝试过其他人建议的每一个建议,但都没有改变我的问题,我已经耗尽了我认为相关的话题。

到目前为止,我尝试过的事情(非详尽列表):

  • 无数次重新创建证书/密钥文件
  • 无数次安装和重新安装mkcert
  • 无数次重建我的Docker Compose
  • 编辑、简化、测试了太多的NGINX配置
  • 从头开始使用空白项目

以下是项目的相关部分:

nginx.conf(当前配置)

server {
    listen 80;
    server_name localhost;
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name localhost;

    ssl_certificate /etc/nginx/certs/localhost.pem;
    ssl_certificate_key /etc/nginx/certs/localhost-key.pem;

    location / {
        proxy_pass http://django:8000;   # Django Docker容器的名称
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

注意:由于NGINX不会自动接受来自mkcert*.pem文件,因此添加了此部分。

docker-compose.yml(NGINX部分)

nginx:
    build:
      context: .
      dockerfile: ./compose/local/nginx/Dockerfile
    container_name: local_nginx
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./certs:/etc/nginx/certs
    depends_on:
      - django

注意:django是我的Django应用程序。它正常工作。我可以在没有问题的情况下访问它,可以从NGINX容器中使用curl访问它。

./compose/local/nginx/Dockerfile

FROM jwilder/nginx-proxy:latest

RUN rm /etc/nginx/conf.d/default.conf
COPY ./compose/local/nginx/nginx.conf /etc/nginx/conf.d

注意:由于NGINX不会自动接受mkcert生成的*.pem文件,因此添加了此部分。

openssl x509 -text -noout -in localhost.pem

证书信息...

openssl rsa -in localhost-key.pem -check

RSA密钥正常
写入RSA密钥...

Chrome网页
Why is NGINX throwing `cannot load certificate "data:": PEM_read_bio_X509_AUX() Expecting: TRUSTED CERTIFICATE`?

英文:

I am attempting to setup a local HTTPS development environment using Django-Cookiecutter with docker. I followed the documentation to a tee using mkcert; however, I realized that additional NGINX configuration was necessary to get .pem files to work. After configuring what I believe to be the right settings, I am now encountering the following error from NGINX:

nginx.1     | 2023/05/24 20:56:23 [error] 37#37: *1 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:443
nginx.1     | 2023/05/24 20:56:23 [error] 42#42: *2 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:443
nginx.1     | 2023/05/24 20:56:23 [error] 40#40: *3 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:443
nginx.1     | 2023/05/24 20:56:23 [error] 39#39: *4 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:443

I have spent the better part of 10 hours trying to figure out how to fix this issue and have reached the point of spinning my wheels. Every suggestion I've tried from others has resulting in no change of my issue and I've exhaused what I believe to be relevant topics.

The things I've tried so far (non-exhaustive):

  • Recreated the cert/key files countless times
  • Installed and re-installed mkcert countless times
  • Rebuilt my docker compose countless times
  • Edited, simplified, tested too many NGINX configs to count
  • Started from scratch with a blank project

Here are the relevant portions of the project:

nginx.conf (current config)

server {
    listen 80;
    server_name localhost;
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name localhost;

    ssl_certificate /etc/nginx/certs/localhost.pem;
    ssl_certificate_key /etc/nginx/certs/localhost-key.pem;

    location / {
        proxy_pass http://django:8000;   # name of django docker container
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Note: This was added due to NGINX not automatically accepting *.pem files from mkcert.

docker-compose.yml (nginx portion)

  nginx:
    build:
      context: .
      dockerfile: ./compose/local/nginx/Dockerfile
    container_name: local_nginx
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./certs:/etc/nginx/certs
    depends_on:
      - django

Note: django is my Django app. It works. I can reach it at localhost:8000 without issue and can curl it from the nginx container without issue.

./compose/local/nginx/Dockerfile

FROM jwilder/nginx-proxy:latest

RUN rm /etc/nginx/conf.d/default.conf
COPY ./compose/local/nginx/nginx.conf /etc/nginx/conf.d

Note: This was added due to NGINX not automatically accepting *.pem files from mkcert.

openssl x509 -text -noout -in localhost.pem

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            99:0c:b3:f7:2a:8b:f9:f7:0f:90:69:8f:63:4c:2a:7f
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = mkcert development CA, OU = dakotahorstman@dur10469-ubuntu (Dakota Horstman), CN = mkcert dakotahorstman@dur10469-ubuntu (Dakota Horstman)
        Validity
            Not Before: May 24 20:52:44 2023 GMT
            Not After : Aug 24 20:52:44 2025 GMT
        Subject: O = mkcert development certificate, OU = dakotahorstman@dur10469-ubuntu (Dakota Horstman)
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:e7:d7:17:b3:a9:0e:a1:b0:57:68:32:06:71:7a:
                    c8:e1:c0:ec:1a:eb:8c:08:bd:12:ea:39:94:f9:8e:
                    12:85:45:7b:4a:e2:2b:80:17:b2:7d:b1:4b:75:1c:
                    da:42:3d:e3:0a:9e:8d:ca:61:c5:f1:fd:26:86:d4:
                    4e:79:c3:0e:7f:f5:ab:76:44:ac:12:16:0b:36:56:
                    7a:be:be:31:e3:68:cc:47:4e:18:75:4f:36:da:d1:
                    d6:50:a7:83:7d:4f:fe:60:c1:15:64:71:c4:a9:4d:
                    b1:74:d5:c5:51:20:9e:38:39:24:46:5b:6c:45:c3:
                    8e:71:e2:5b:e7:92:f6:0e:42:34:33:f4:e6:36:22:
                    c0:e2:fd:05:26:75:51:4a:13:23:a1:21:11:b1:88:
                    14:80:7a:56:70:81:aa:34:97:42:e7:cb:be:7d:e4:
                    69:cc:a9:e5:ec:42:2e:0b:6c:a9:d1:57:d8:5b:70:
                    9c:55:46:d0:bc:01:06:97:a2:15:e3:22:0c:32:67:
                    f0:99:64:a3:6f:41:33:da:ca:a4:c6:d7:09:a8:a8:
                    2c:26:45:88:09:e6:9f:4b:88:12:ca:de:6a:96:49:
                    29:49:c4:e0:45:f0:35:e9:de:c8:9b:c7:30:de:8a:
                    e0:fa:9b:fb:6e:e9:ee:60:78:06:7a:16:e7:6c:6a:
                    13:c3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Authority Key Identifier: 
                keyid:AB:28:4B:C0:36:99:06:7A:D5:FF:CA:EC:83:C6:1D:F3:B6:85:3F:17

            X509v3 Subject Alternative Name: 
                DNS:localhost, IP Address:127.0.0.1
    Signature Algorithm: sha256WithRSAEncryption
         a5:12:82:ec:25:0b:e5:b5:99:dc:a6:60:a1:5c:f8:03:19:70:
         41:10:0d:b8:04:ac:c8:be:7a:d5:b1:23:ce:db:06:0d:1e:98:
         31:01:09:f4:00:5d:25:04:00:6c:c2:da:56:3b:f4:f4:5e:88:
         4a:26:61:12:9c:34:74:22:b6:27:82:f9:39:35:cd:94:e1:c9:
         a4:60:20:f1:d9:87:cb:4e:38:7b:9a:70:7d:82:48:7b:3c:ca:
         38:e9:e7:e4:c0:89:73:a0:26:34:61:4d:12:90:f2:3a:ba:dd:
         49:3b:cd:75:cb:0d:84:63:0e:4c:09:fe:b6:3b:5e:ea:2d:1d:
         a4:04:63:9e:d4:e3:a8:d7:ee:ed:aa:90:9f:bc:26:fe:e3:49:
         34:54:4d:82:a6:d2:c2:0c:ca:89:fd:b1:5b:62:4b:f0:c5:cb:
         21:09:96:c4:55:88:17:7a:cb:53:ae:e8:83:18:a3:14:1c:87:
         2d:7d:72:34:17:04:55:c6:cc:99:5a:92:88:fc:06:bf:08:6b:
         b5:49:60:44:03:44:6b:7f:bc:7e:a1:b9:ec:aa:ef:e1:88:47:
         3d:76:f0:c2:04:53:d0:57:32:f1:a5:5d:ac:53:e6:e8:a4:a4:
         7f:2e:5b:bd:cd:d2:3c:c9:9f:ec:32:36:11:c1:b9:ba:a5:2f:
         17:93:69:7e:bf:47:ae:74:2a:40:de:48:7f:f8:96:ce:de:72:
         1d:28:27:64:7e:eb:e7:c4:44:77:01:82:6e:93:a2:a8:d3:89:
         e7:8b:0a:6f:c5:a5:23:a1:a4:82:59:2f:63:6a:12:c6:50:80:
         88:11:fb:38:e9:36:45:10:b9:6c:ba:c3:df:76:5e:fb:3d:c4:
         05:67:62:45:3b:21:be:7b:5b:ee:e9:9c:4e:02:fd:03:5d:95:
         6f:de:8e:e2:eb:93:b3:cb:90:ff:06:97:a3:1b:2a:5a:34:b3:
         4d:de:ed:2e:01:ae:fc:88:9d:bf:37:98:78:40:56:a5:c9:98:
         ad:45:e8:85:7d:19

openssl rsa -in localhost-key.pem -check

RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

Chrome Webpage
Why is NGINX throwing `cannot load certificate "data:": PEM_read_bio_X509_AUX() Expecting: TRUSTED CERTIFICATE`?

答案1

得分: 2

以下是翻译好的部分:

由于某种原因,jwilder/nginx-proxy:latest 镜像不起作用,而 nginx 镜像起作用。在不对任何其他文件进行任何更改的情况下,只需将 Dockerfile 更改如下即可。

FROM nginx

RUN rm /etc/nginx/conf.d/default.conf
COPY ./compose/local/nginx/nginx.conf /etc/nginx/conf.d
英文:

For whatever reason, the jwilder/nginx-proxy:latest image does NOT work, whereas the nginx image does. Without any changes to any other files, simply changing the Dockerfile to the below works.

FROM nginx

RUN rm /etc/nginx/conf.d/default.conf
COPY ./compose/local/nginx/nginx.conf /etc/nginx/conf.d

huangapple
  • 本文由 发表于 2023年5月25日 05:19:09
  • 转载请务必保留本文链接:https://go.coder-hub.com/76327465.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定