为什么NGINX抛出`cannot load certificate“data:“:PEM_read_bio_X509_AUX()预期:可信证书`?

omqzjyyz  于 2023-05-28  发布在  Nginx
关注(0)|答案(1)|浏览(1711)

我正在尝试使用Django-Cookiecutter和docker设置本地HTTPS开发环境。我按照文档使用mkcert;然而,我意识到需要额外的NGINX配置才能使.pem文件工作。在配置了我认为正确的设置之后,我现在遇到了来自NGINX的以下错误:

nginx.1     | 2023/05/24 20:56:23 [error] 37#37: *1 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:443
nginx.1     | 2023/05/24 20:56:23 [error] 42#42: *2 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:443
nginx.1     | 2023/05/24 20:56:23 [error] 40#40: *3 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:443
nginx.1     | 2023/05/24 20:56:23 [error] 39#39: *4 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:443

我已经花了10个小时的大部分时间试图找出如何解决这个问题,并已达到旋转我的车轮的地步。我尝试过的每一个建议都没有改变我的问题,我已经用尽了我认为相关的主题。
目前为止我尝试过的方法(非详尽):

  • 无数次重新创建证书/密钥文件
  • 安装和重新安装mkcert无数次
  • 重建我的docker compose无数次
  • 编辑、简化、测试了太多的NGINX配置
  • 从一个空白项目开始

以下是项目的相关部分:

nginx.conf(当前配置)

server {
    listen 80;
    server_name localhost;
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name localhost;

    ssl_certificate /etc/nginx/certs/localhost.pem;
    ssl_certificate_key /etc/nginx/certs/localhost-key.pem;

    location / {
        proxy_pass http://django:8000;   # name of django docker container
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
  • 注意:这是由于NGINX不会自动接受来自mkcert*.pem文件而添加的。*
    docker-compose.yml(nginx部分)
nginx:
    build:
      context: .
      dockerfile: ./compose/local/nginx/Dockerfile
    container_name: local_nginx
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./certs:/etc/nginx/certs
    depends_on:
      - django
  • 注意:django是我的Django应用。它工作。我可以在localhost:8000访问它而没有问题,并且可以从nginx容器curl它而没有问题。*
    ./compose/local/nginx/Dockerfile
FROM jwilder/nginx-proxy:latest

RUN rm /etc/nginx/conf.d/default.conf
COPY ./compose/local/nginx/nginx.conf /etc/nginx/conf.d
  • 注意:这是由于NGINX不会自动接受来自mkcert*.pem文件而添加的。*
    openssl x509 -text -noout -in localhost.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            99:0c:b3:f7:2a:8b:f9:f7:0f:90:69:8f:63:4c:2a:7f
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = mkcert development CA, OU = dakotahorstman@dur10469-ubuntu (Dakota Horstman), CN = mkcert dakotahorstman@dur10469-ubuntu (Dakota Horstman)
        Validity
            Not Before: May 24 20:52:44 2023 GMT
            Not After : Aug 24 20:52:44 2025 GMT
        Subject: O = mkcert development certificate, OU = dakotahorstman@dur10469-ubuntu (Dakota Horstman)
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:e7:d7:17:b3:a9:0e:a1:b0:57:68:32:06:71:7a:
                    c8:e1:c0:ec:1a:eb:8c:08:bd:12:ea:39:94:f9:8e:
                    12:85:45:7b:4a:e2:2b:80:17:b2:7d:b1:4b:75:1c:
                    da:42:3d:e3:0a:9e:8d:ca:61:c5:f1:fd:26:86:d4:
                    4e:79:c3:0e:7f:f5:ab:76:44:ac:12:16:0b:36:56:
                    7a:be:be:31:e3:68:cc:47:4e:18:75:4f:36:da:d1:
                    d6:50:a7:83:7d:4f:fe:60:c1:15:64:71:c4:a9:4d:
                    b1:74:d5:c5:51:20:9e:38:39:24:46:5b:6c:45:c3:
                    8e:71:e2:5b:e7:92:f6:0e:42:34:33:f4:e6:36:22:
                    c0:e2:fd:05:26:75:51:4a:13:23:a1:21:11:b1:88:
                    14:80:7a:56:70:81:aa:34:97:42:e7:cb:be:7d:e4:
                    69:cc:a9:e5:ec:42:2e:0b:6c:a9:d1:57:d8:5b:70:
                    9c:55:46:d0:bc:01:06:97:a2:15:e3:22:0c:32:67:
                    f0:99:64:a3:6f:41:33:da:ca:a4:c6:d7:09:a8:a8:
                    2c:26:45:88:09:e6:9f:4b:88:12:ca:de:6a:96:49:
                    29:49:c4:e0:45:f0:35:e9:de:c8:9b:c7:30:de:8a:
                    e0:fa:9b:fb:6e:e9:ee:60:78:06:7a:16:e7:6c:6a:
                    13:c3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Authority Key Identifier: 
                keyid:AB:28:4B:C0:36:99:06:7A:D5:FF:CA:EC:83:C6:1D:F3:B6:85:3F:17

            X509v3 Subject Alternative Name: 
                DNS:localhost, IP Address:127.0.0.1
    Signature Algorithm: sha256WithRSAEncryption
         a5:12:82:ec:25:0b:e5:b5:99:dc:a6:60:a1:5c:f8:03:19:70:
         41:10:0d:b8:04:ac:c8:be:7a:d5:b1:23:ce:db:06:0d:1e:98:
         31:01:09:f4:00:5d:25:04:00:6c:c2:da:56:3b:f4:f4:5e:88:
         4a:26:61:12:9c:34:74:22:b6:27:82:f9:39:35:cd:94:e1:c9:
         a4:60:20:f1:d9:87:cb:4e:38:7b:9a:70:7d:82:48:7b:3c:ca:
         38:e9:e7:e4:c0:89:73:a0:26:34:61:4d:12:90:f2:3a:ba:dd:
         49:3b:cd:75:cb:0d:84:63:0e:4c:09:fe:b6:3b:5e:ea:2d:1d:
         a4:04:63:9e:d4:e3:a8:d7:ee:ed:aa:90:9f:bc:26:fe:e3:49:
         34:54:4d:82:a6:d2:c2:0c:ca:89:fd:b1:5b:62:4b:f0:c5:cb:
         21:09:96:c4:55:88:17:7a:cb:53:ae:e8:83:18:a3:14:1c:87:
         2d:7d:72:34:17:04:55:c6:cc:99:5a:92:88:fc:06:bf:08:6b:
         b5:49:60:44:03:44:6b:7f:bc:7e:a1:b9:ec:aa:ef:e1:88:47:
         3d:76:f0:c2:04:53:d0:57:32:f1:a5:5d:ac:53:e6:e8:a4:a4:
         7f:2e:5b:bd:cd:d2:3c:c9:9f:ec:32:36:11:c1:b9:ba:a5:2f:
         17:93:69:7e:bf:47:ae:74:2a:40:de:48:7f:f8:96:ce:de:72:
         1d:28:27:64:7e:eb:e7:c4:44:77:01:82:6e:93:a2:a8:d3:89:
         e7:8b:0a:6f:c5:a5:23:a1:a4:82:59:2f:63:6a:12:c6:50:80:
         88:11:fb:38:e9:36:45:10:b9:6c:ba:c3:df:76:5e:fb:3d:c4:
         05:67:62:45:3b:21:be:7b:5b:ee:e9:9c:4e:02:fd:03:5d:95:
         6f:de:8e:e2:eb:93:b3:cb:90:ff:06:97:a3:1b:2a:5a:34:b3:
         4d:de:ed:2e:01:ae:fc:88:9d:bf:37:98:78:40:56:a5:c9:98:
         ad:45:e8:85:7d:19

openssl rsa -in localhost-key.pem -check

RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

Chrome网页x1c 0d1x

lhcgjxsq

lhcgjxsq1#

无论出于何种原因,jwilder/nginx-proxy:latest图像不起作用,而nginx图像起作用。在不更改任何其他文件的情况下,只需将Dockerfile更改为以下文件即可。

FROM nginx

RUN rm /etc/nginx/conf.d/default.conf
COPY ./compose/local/nginx/nginx.conf /etc/nginx/conf.d

相关问题