[ERROR 502 /] x509: certificate signed by unknown authority

when i access website, the result is: 502 Bad Gateway
here is systemd config & log

Description=Caddy Server

ExecStart=/usr/local/bin/caddy --conf=/etc/caddy/Caddyfile

● caddy.service - Caddy Server
   Loaded: loaded (/etc/systemd/system/caddy.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2018-04-27 01:41:04 EDT; 25s ago
 Main PID: 21451 (caddy)
    Tasks: 7
   Memory: 7.0M
   CGroup: /system.slice/caddy.service
           └─21451 /usr/local/bin/caddy -log=/etc/caddy/log.log -agree=true -email="xxx" --conf=/etc/caddy/Caddyfile

Apr 27 01:41:04 host.localdomain systemd[1]: Starting Caddy Server...
Apr 27 01:41:04 host.localdomain caddy[21451]: Activating privacy features... done.
Apr 27 01:41:04 host.localdomain caddy[21451]: https://xxx.com
Apr 27 01:41:04 host.localdomain caddy[21451]: http://xxx.com
Apr 27 01:41:26 host.localdomain caddy[21451]: 27/Apr/2018:01:41:26 -0400 [ERROR 502 /] x509: certificate signed by unknown authority

Caddyfile is

https://xxx.com {
    filter rule {
        content_type text/html.*
        search_pattern abc
        replacement bbc
    proxy / https://bbb.com {
        header_downstream -Content-Security-Policy
        header_downstream -Strict-Transport-Security
        header_downstream -Public-Key-Pins
        header_downstream -X-XSS-Protection
    tls email

I have already tried updating the system. Updating Caddy Regenerate the certificate.
Remove the configuration of other sites
This problem still occurs.

IP - - [27/Apr/2018:01:24:41 -0400] “GET / HTTP/1.1” 502 40

Hi @ccyy,

The 502 error is pertinent to your proxy. The technical explanation is that when you browsed to your website, Caddy tried to connect to https://bbb.com to retrieve its content for you, but received an invalid response from the server.

Running curl -IL https://bbb.com from the Caddy host will tell you exactly how the website is responding to Caddy.

It looks like Caddy wasn’t able to connect over HTTPS because the certificate presented by the upstream server couldn’t be validated (wasn’t signed by a trusted authority).

1 Like

The result is:

curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Does this mean that I can’t avoid this issue?
thank you very much.

You can tell Caddy not to verify the upstream certificate, but the downside would be there’s nothing stopping someone between you from impersonating the upstream server. The insecure_skip_verify subdirective does this.


1 Like

Solve the problem and thank you very much. :kissing_heart:

1 Like

No worries, although the best outcome would be to get bbb.com to use a valid certificate so you don’t have to skip verification! Maybe they could use Caddy? :thinking:

Ha BBB I’ll comment on there website :wink:

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.