1

I obtained ssl certificates using lets-encrypt for use in a dockerised nginx deployment. the privkey.pem works but the fullchain.pem file cannot be accessed and i see this type of error on the nginx log:

PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)

have tested the certificate using openssl x509 -noout -text and it appears to work, eg:

Certificate:
Data:
    Version: 3 (0x2)
    Serial Number:
        04:1a:8d:15:9a:1e:78:f7:e7:34:01:62:4c:c4:9f:9b:03:43
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    Validity
        Not Before: Sep 24 03:26:11 2020 GMT
        Not After : Dec 23 03:26:11 2020 GMT

..etc

and text inspection:

-----BEGIN CERTIFICATE-----
MIIFSjCCBDKgAwIBAgISBBqNFZoeePfnNAFiTMSfmwNDMA0GCSqGSIb3DQEBCwUA
...
CJdKuoNsWQgrCG3JHsYwq0KADH7UGRiZ/rISnEMwfEupxzen7ML0cpn2N5iixjw1
ngHluO91jwJo3W2ulQs=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
...
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

Has anyone come across a solution?

NB see nginx.conf (domain is 'ex.co')

    user  nginx;
worker_processes  auto;
worker_rlimit_nofile 65535;
daemon off;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    multi_accept on;
    worker_connections 65535;
}

http {
    charset              utf-8;
    sendfile             on;
    tcp_nopush           on;
    tcp_nodelay          on;
    server_tokens        off;
    log_not_found        off;
    types_hash_max_size  2048;
    client_max_body_size 16M;
    
    #ssl_certificate         /etc/letsencrypt/live/ex.co/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/ex.co/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/ex.co/chain.pem;

    ssl_ciphers         ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_protocols       TLSv1.2 TLSv1.3;
    
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 1d;
    
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    access_log  /var/log/nginx/access.log;

    access_log /dev/stdout;
    error_log /dev/stderr;

    keepalive_timeout  65;
    
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-available/*.conf;

}
haz
  • 740
  • 1
  • 11
  • 20
  • What does your `nginx.conf` look like? – masseyb Sep 24 '20 at 12:31
  • @masseyb has the http block with the ssl options – haz Sep 24 '20 at 12:40
  • 1
    Update your question with a copy of your `nginx.conf` - might help... – masseyb Sep 24 '20 at 12:41
  • `ssl_trusted_certificate` is used with client certificates and has nothing to do with server certificates. Why is your `ssl_certificate` statement commented out? – Richard Smith Sep 24 '20 at 17:05
  • That’s the one that does not load – haz Sep 24 '20 at 17:12
  • [This](https://stackoverflow.com/a/52085885/1423507) might help. – masseyb Sep 24 '20 at 18:21
  • If you're running in `docker` it'd help to post the commands that you're using as well (possibly even the `Dockerfile` in case you're baking certs into your image - gross but can't say without it). As a rule of thumb post everything needed for a [minimal reproducible example](https://stackoverflow.com/a/5963610/1423507). Possibly just a case of not bind-mounting the certs into the container and `nginx` not finding any certificates. – masseyb Sep 24 '20 at 18:38
  • @masseyb yes tried renaming before posting – haz Sep 24 '20 at 18:44
  • @masseyb the certs are visible when I access the docker nginx CLI - they are accessible – haz Sep 25 '20 at 02:57

0 Answers0