2023-09-29

nginx failing to load ssl certificate

The Problem

I used mkcert -install then mkcert my-dev-env.local 127.0.0.1 localhost to make local SSL certificates for a Django project using Docker on Windows but get a "This site can’t provide a secure connection" error when I try to access https://localhost. In the Docker log the output was:

2023-09-26 18:19:47 nginx.1     | 2023/09/27 00:19:47 [error] 38#38: *10 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 172.18.0.1, server: 0.0.0.0:443

What I Tried

Followed the directions to set up a new Django project with Docker using the Cookiecutter-Django template. Did everything down through the "Run the Stack" section, and the local development website looked good on localhost.

Skipped down to "Developing locally with HTTPS" section and followed those directions. The directions don't specify how to change the files from .pem to .crt or .key, but I just renamed them on the first try. The rest of the template website still works fine, but when I go to https://localhost I get a "This site can’t provide a secure connection" error.

I tried changing:

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

to

-----BEGIN TRUSTED CERTIFICATE-----
...
-----END TRUSTED CERTIFICATE-----

in a text editor and still got the same error messages as above.

I tried using openssl to change the files from .pem to .crt and .key while using the -trustout command as recommended in this answer, but got the same error message.

$ openssl x509 -in my-dev-env.local.pem -trustout -out my-dev-env.local.crt
$ openssl rsa -in my-dev-env.local-key.pem -out my-dev-env.local.key

I tried validating the keys as recommended in this answer, both before and after the above changes, and there were never any errors doing this.

$ openssl x509 -noout -text -in my-dev-env.crt
$ openssl rsa -noout -text -in my-dev-env.key

I tried a number of other things that probably make no sense, but I don't really know what I'm doing. The only one that might be interesting is when I put TRUSTED with BEGIN CERTIFICATE but not END CERTIFICATE, either before rebuilding and running the Docker stack in which case the error read "This site can’t be reached" or without rebuilding the stack just restarting the nginx container which would get an infinitely repeating error in the Docker log that reads:

2023-09-26 18:50:55 nginx.1     | 2023/09/27 00:50:55 [emerg] 452#452: cannot load certificate "/etc/nginx/certs/my-dev-env.local.crt": PEM_read_bio_X509_AUX() failed (SSL: error:04800066:PEM routines::bad end line)

Here the problem is obviously the bad end line, but at least it shows it is trying to access the correct key.



Posted by on
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)