bOt@zerobytes.monster

bOt@zerobytes.monster

The original post: /r/nginx by /u/Henness0666 on 2025-02-11 05:10:26.

I’m trying to create a self signed SSL cert for my Nginx docker container. I created the the certicate using my Windows CA which is within a Windows AD DC enviorment. Once created I exported it, and using OpenSSL created the key and crt files. But after passing the cert to my docker container I get the follow error message:

2025-02-10 20:50:34 2025/02/11 04:50:34 [emerg] 1#1: cannot load certificate "/etc/nginx/certs/server.crt": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
2025-02-10 20:50:34 nginx: [emerg] cannot load certificate "/etc/nginx/certs/server.crt": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)

Does anyone know why I would be getting this error? I even exported it as a trusted certificate.

-----BEGIN TRUSTED CERTIFICATE-----
...
-----END TRUSTED CERTIFICATE-----

-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

  nginx:
    build:
      context: ../nginx
      dockerfile: Dockerfile
    volumes:
      - ..server.crt:/etc/nginx/certs/server.crt
      - ..server.key:/etc/nginx/certs/server.key
    environment:
      - FRONTEND_HOST_NAME=${FRONTEND_HOST_NAME}
      - BACKEND_HOST_NAME=${BACKEND_HOST_NAME}
      - PGADMIN_HOST_NAME=${PGADMIN_HOST_NAME}
      - CANVAS_HOST_NAME=${CANVAS_HOST_NAME}
    ports:
      - "80:80"
    networks:
      - prometheus-net

events {
    worker_connections 1024;
}

http {
    # Define upstreams for each service
    upstream frontend {
        server frontend:3000;
    }

    upstream backend {
        server backend:8000;
    }

    upstream pgadmin {
        server pgadmin:80;
    }

    # Main Production Frontend
    server {
        listen 443 ssl;
        server_name ${FRONTEND_HOST_NAME};

        ssl_certificate     /etc/nginx/certs/server.crt;
        ssl_certificate_key /etc/nginx/certs/server.key;
        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers         HIGH:!aNULL:!MD5;

        location / {
            proxy_pass http://frontend/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

            # WebSocket support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }
    }

    # Production Backend API
    server {
        listen 443 ssl;
        server_name ${BACKEND_HOST_NAME};

        ssl_certificate     /etc/nginx/certs/server.crt;
        ssl_certificate_key /etc/nginx/certs/server.key;
        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers         HIGH:!aNULL:!MD5;

        location / {
            proxy_pass http://backend/;
            proxy_set_header Host ${BACKEND_HOST_NAME};
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Authorization $http_authorization;
        }

        # Optional: explicitly forward documentation endpoints.
        location /docs {
            proxy_pass http://backend/docs;
        }

        location /redoc {
            proxy_pass http://backend/redoc;
        }
    }

    # Canvas Service
    server {
        listen 443 ssl;
        server_name ${CANVAS_HOST_NAME};

        ssl_certificate     /etc/nginx/certs/server.crt;
        ssl_certificate_key /etc/nginx/certs/server.key;
        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers         HIGH:!aNULL:!MD5;

        location / {
            # Proxy requests to the Canvas container (using Docker DNS)
            proxy_pass http://canvas/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
        }
    }

    # PGAdmin Interface
    server {
        listen 443 ssl;
        server_name ${PGADMIN_HOST_NAME};

        ssl_certificate     /etc/nginx/certs/server.crt;
        ssl_certificate_key /etc/nginx/certs/server.key;
        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_ciphers         HIGH:!aNULL:!MD5;

        location / {
            proxy_pass http://pgadmin/;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_cookie_path / /;
        }
    }

    # HTTP to HTTPS redirect for all services
    server {
        listen 80;
        server_name ${FRONTEND_HOST_NAME} ${BACKEND_HOST_NAME} ${CANVAS_HOST_NAME} ${PGADMIN_HOST_NAME};
        return 301 https://$host$request_uri;
    }

    # Global Proxy Settings
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_read_timeout 300;
    proxy_connect_timeout 300;
    proxy_send_timeout 300;

    # Required for Kerberos SPNEGO authentication
    proxy_http_version 1.1;
    proxy_set_header Connection "";
}

Help creating a self signed SSL cert for my Nginx docker container from my Windows AD DC.

Help creating a self signed SSL cert for my Nginx docker container from my Windows AD DC.

The original post: /r/nginx by /u/Henness0666 on 2025-02-11 05:10:26.