nginx-proxy: cannot load certificate, Expecting: TRUSTED CERTIFICATE

Cannot run HTTPS on the 1.3.1 image due to the following startup error:

nginx-proxy_1  | nginx.1     | 2023/08/18 15:59:31 [error] 46#46: *1 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: <IP>, server: 0.0.0.0:8881

This is the Docker compose to reproduce it:

version: '2'

services:
  nginx-proxy:
    image: nginxproxy/nginx-proxy:1.3.1
    network_mode: "host"
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - /tmp/nginx:/etc/nginx/conf.d
      - /etc/pki/tls/certs/:/etc/nginx/certs/:ro
    environment:
      - HTTP_PORT=8879
      - HTTPS_PORT=8881


  whoami:
    image: jwilder/whoami
    network_mode: "host"
    environment:
      - VIRTUAL_HOST=dtapi.domain.com
      - VIRTUAL_PORT=8000
      - VIRTUAL_PATH=/whoami

  # Sample hello world web service serving on port 8001
  hello:
    image: tutum/hello-world
    network_mode: "host"
    environment:
      - VIRTUAL_HOST=dtapi.domain.com
      - VIRTUAL_PORT=80
      - VIRTUAL_PATH=/hello

For reference these are the crt and key files (REDACTED):

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            <REDACTED>
        Signature Algorithm: sha512WithRSAEncryption
        Issuer: CN=<REDACTED>
        Validity
            Not Before: Sep 13 10:23:24 2022 GMT
            Not After : Aug 28 10:23:24 2025 GMT
        Subject: CN=vmk-dtapi-01
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:<REDACTED>
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                <REDACTED>
            X509v3 Authority Key Identifier:
                keyid: <REDACTED>
                DirName:/CN=<REDACTED>
                serial:<REDACTED>

            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:vmk-dtapi-01, DNS:vmk-dtapi-01.domain.com, IP Address:
    Signature Algorithm: sha512WithRSAEncryption
-----BEGIN CERTIFICATE-----
<REDACTED>
-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----
REDACTED
-----END PRIVATE KEY-----

Tried using a crt file produced with openssl x509 -in dtapi.domain.com.crt --trustout -out dtapi.domain.com.crt without any change of output.

About this issue

  • Original URL
  • State: open
  • Created 10 months ago
  • Reactions: 6
  • Comments: 19 (4 by maintainers)

Most upvoted comments

Found a workaround, which does not correspond to what the README states. If you name the crt and key files as “default.crt” or “default.key” as per https://github.com/nginx-proxy/nginx-proxy/blob/main/nginx.tmpl#L14C77-L14C77, it seems to work fine with the latest version.

So, either fix the template or update the README.

+2
djuarezg on Aug 28, 2023

Glad you found the issue 👍

If I had to use certbot with nginx-proxy I think I would use the post renewal hook to put the certificates where they should be (with the correct name) and trigger docker-gen and/or reload the nginx config.

The recommended way to get TLS certificate from an ACME CA with nginx-proxy is still to use nginx-proxy/acme-companion.

+1
buchdag on Mar 13, 2024

HINT: Apparently I did something wrong in the first place. With

openssl req -x509 -newkey rsa:4096 -keyout <hostname>.key -out <hostname>.crt -sha256 -days 3650 -nodes -subj "/C=...ST=.../L=.../O=.../OU=.../CN=..."

it worked.

+1
osnard on Dec 22, 2023
Read more comments on GitHub
← nginx-proxy: Cannot connect to container with fastcgi
nginx-proxy: Can't get proxy_cache to work →