SSL cert not working

[aptgetd]

Hi,

I've followed the install down to a T but for some reason HTTPS is warning that it's not secure.

1. I've disabled iptables on the server to avoid any possible issues
2. Verified that my root cert, host cert (.crt) and private key (.key) are good and are located in the correct location

Below is my /etc/nginx/sites-enabled/netbox

server {
listen [::]:443 ssl ipv6only=off;

# CHANGE THIS TO YOUR SERVER'S NAME
server_name netbox.example.com;

ssl_certificate /etc/ssl/certs/netbox_example_com.crt;
ssl_certificate_key /etc/ssl/private/netbox_example_com.key;

client_max_body_size 25m;

location /static/ {
    alias /opt/netbox-3.6.6/netbox/static/;
}

location / {
    proxy_pass http://10.3.3.100:8001;
    proxy_set_header X-Forwarded-Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
}

}

server {
# Redirect HTTP traffic to HTTPS
listen [::]:80 ipv6only=off;
server_name _;
return 301 https://$host$request_uri;
}

Any pointers will be appreciated.

Thanks,
Sky

[markkuleinio]

ssl_certificate /etc/ssl/certs/netbox_example_com.crt;

Are you sure you have the intermediate certificate there as well? Assuming your cert is provided by public CA.

If you have a private CA, the same question + is your root CA cert installed on the client?

[aptgetd]

Thanks Mark. Yes, I do have my CA and intermediate certificates installed on the client. I can hit other hosts issued by the same CA with no issues. The host certificate is issued by internal PKI. Not sure what else I could be missing?

Sky

[markkuleinio]

In the client you only need the root (= the trust anchor).

In the server you need to make Nginx offer both the server certificate and the intermediate certificate, concatenated in the same crt file.

This is the usual way of ensuring the trust chain is complete.

Have you compared the certificate output of your browser to the output with the other sites that are working fine?

[aptgetd]

BTW, the certificate is issued by the CA, hence there's no intermediate certificate in the picture. When comparing with other working internal sites what's interesting I do not see my CA listed under Certificate Hierarchy for netbox, although, my CA is located on my netbox, see below snippet,

root@dmz-netbox:/etc/ssl/certs# ls -lg CA*
lrwxrwxrwx 1 root 45 Jan 5 22:12 CACert.pem -> /usr/share/ca-certificates/mozilla/CACert.crt

Sky

[markkuleinio]

The CA certificate files don't matter in the server side: Nginx is not doing anything with it. It is the client that verifies the server-provided certificate against its own trusted root CAs.

So, you are saying that your Nginx provides the correct certificate, showing the correct issuer (= your CA), but your browser (which one? None of my browsers have a view with title "Certificate Hierarchy") doesn't recognize the issuer even though the issuer (= your CA) is installed in the client side?

[aptgetd]

I haven't checked the issuer for my server certificate via openssl. Will confirm. I'm using edge browser (due to company policy).

Sky

[markkuleinio]

Not related to TLS, but:

alias /opt/netbox-3.6.6/netbox/static/;

I'd suggest using the symlinked path /opt/netbox/netbox/static/ there. Otherwise, if you forget to edit this file you will get strange problems after upgrading NetBox.

[aptgetd]

Good point, I will update that.

Sky