[ERROR 502 /] x509: certificate signed by unknown authority

ccyy · April 27, 2018, 5:47am

when i access website, the result is: 502 Bad Gateway
here is systemd config & log

[Unit]
Description=Caddy Server
After=syslog.target
After=network.target

[Service]
User=root
Group=root
LimitNOFILE=64000
ExecStart=/usr/local/bin/caddy --conf=/etc/caddy/Caddyfile
Restart=always

[Install]
WantedBy=multi-user.target

● caddy.service - Caddy Server
   Loaded: loaded (/etc/systemd/system/caddy.service; enabled; vendor preset: disabled)
   Active: active (running) since Fri 2018-04-27 01:41:04 EDT; 25s ago
 Main PID: 21451 (caddy)
    Tasks: 7
   Memory: 7.0M
   CGroup: /system.slice/caddy.service
           └─21451 /usr/local/bin/caddy -log=/etc/caddy/log.log -agree=true -email="xxx" --conf=/etc/caddy/Caddyfile

Apr 27 01:41:04 host.localdomain systemd[1]: Starting Caddy Server...
Apr 27 01:41:04 host.localdomain caddy[21451]: Activating privacy features... done.
Apr 27 01:41:04 host.localdomain caddy[21451]: https://xxx.com
Apr 27 01:41:04 host.localdomain caddy[21451]: http://xxx.com
Apr 27 01:41:26 host.localdomain caddy[21451]: 27/Apr/2018:01:41:26 -0400 [ERROR 502 /] x509: certificate signed by unknown authority

Caddyfile is

https://xxx.com {
    filter rule {
        content_type text/html.*
        search_pattern abc
        replacement bbc
    }
    proxy / https://bbb.com {
        header_downstream -Content-Security-Policy
        header_downstream -Strict-Transport-Security
        header_downstream -Public-Key-Pins
        header_downstream -X-XSS-Protection
    }
    gzip
    tls email
}

I have already tried updating the system. Updating Caddy Regenerate the certificate.
Remove the configuration of other sites
This problem still occurs.
Logfile

IP - - [27/Apr/2018:01:24:41 -0400] “GET / HTTP/1.1” 502 40

Whitestrake · April 27, 2018, 6:05am

Hi @ccyy,

The 502 error is pertinent to your proxy. The technical explanation is that when you browsed to your website, Caddy tried to connect to https://bbb.com to retrieve its content for you, but received an invalid response from the server.

Running curl -IL https://bbb.com from the Caddy host will tell you exactly how the website is responding to Caddy.

It looks like Caddy wasn’t able to connect over HTTPS because the certificate presented by the upstream server couldn’t be validated (wasn’t signed by a trusted authority).

ccyy · April 27, 2018, 7:09am

The result is:

curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

Does this mean that I can’t avoid this issue?
thank you very much.

Whitestrake · April 27, 2018, 9:17am

You can tell Caddy not to verify the upstream certificate, but the downside would be there’s nothing stopping someone between you from impersonating the upstream server. The insecure_skip_verify subdirective does this.

https://caddyserver.com/docs/proxy

ccyy · April 27, 2018, 9:37am

Solve the problem and thank you very much.

Whitestrake · April 27, 2018, 10:20am

No worries, although the best outcome would be to get bbb.com to use a valid certificate so you don’t have to skip verification! Maybe they could use Caddy?

ccyy · April 27, 2018, 3:23pm

Ha BBB I’ll comment on there website

system · July 26, 2018, 3:23pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.