[Nginx] ssh CA certificate error (but not with Apache)
Created by: simkin
I am unable to use Nginx as a reverse proxy due to a certificate error:
[lmolenaar@VM-TEST-SuSE:~/.ssh] $ssh -T [email protected]
The authenticity of host 'gitlab.xxx.xxx (172.16.8.224)' can't be established.
RSA key fingerprint is b9:34:b6:51:bb:bd:9a:xx:xx:xx:xx:xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'gitlab.xxx.xxx' (RSA) to the list of known hosts.
Tunnel device open failed.
Could not request tunnel forwarding.
/home/git/ruby/lib/ruby/1.9.1/net/http.rb:800:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
from /home/git/ruby/lib/ruby/1.9.1/net/http.rb:800:in `block in connect'
from /home/git/ruby/lib/ruby/1.9.1/timeout.rb:55:in `timeout'
from /home/git/ruby/lib/ruby/1.9.1/timeout.rb:100:in `timeout'
from /home/git/ruby/lib/ruby/1.9.1/net/http.rb:800:in `connect'
from /home/git/ruby/lib/ruby/1.9.1/net/http.rb:756:in `do_start'
from /home/git/ruby/lib/ruby/1.9.1/net/http.rb:745:in `start'
from /home/git/gitlab-shell/lib/gitlab_net.rb:62:in `get'
from /home/git/gitlab-shell/lib/gitlab_net.rb:24:in `discover'
from /home/git/gitlab-shell/lib/gitlab_shell.rb:77:in `user'
from /home/git/gitlab-shell/lib/gitlab_shell.rb:82:in `username'
from /home/git/gitlab-shell/lib/gitlab_shell.rb:36:in `exec'
from /home/git/gitlab-shell/bin/gitlab-shell:16:in `<main>'I suspect the problem is with the CA certificate file, which is indeed mandatory for Apache (otherwise I have the same issue)
Working Apache config:
<VirtualHost *:443>
ServerName gitlab.xxx.xxx
ServerAdmin [email protected]
SSLEngine On
SSLCertificateFile /etc/httpd/conf/certs/domain.cer
SSLCertificateKeyFile /etc/httpd/conf/certs/domain.key
SSLCaCertificateFile /etc/httpd/conf/certs/AlphaSSLroot.crt
ProxyPass /uploads !
ProxyPass /error !
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
ProxyPreserveHost On
CustomLog /var/log/httpd/gitlab/access.log combined
ErrorLog /var/log/httpd/gitlab/error.log
# Modify path to your needs (needed for downloading attachments)
DocumentRoot /home/git/gitlab/public
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>The Nginx configuration:
server {
listen 443 ssl;
server_name gitlab.xxx.xxx;
server_tokens off;
root /home/git/gitlab/public;
ssl on;
ssl_certificate /etc/httpd/conf/certs/domain.cer;
ssl_certificate_key /etc/httpd/conf/certs/domain.key;
ssl_client_certificate /etc/httpd/conf/certs/AlphaSSLroot.crt;
ssl_protocols SSLv3 TLSv1 TLSv1.2;
ssl_ciphers AES:HIGH:!ADH:!MD5;
ssl_prefer_server_ciphers on;
# individual nginx logs for this gitlab vhost
access_log /var/log/nginx/gitlab_access.log;
error_log /var/log/nginx/gitlab_error.log;
location / {
# serve static files from defined root folder;.
# @gitlab is a named location for the upstream fallback, see below
try_files $uri $uri/index.html $uri.html @gitlab;
}I thought the Nginx "ssl_client_certificate" is the equivalent for the Apache "SSLCaCertificateFile" but still I cannot get it to work with Nginx.
Any suggestions are appreciated :)