0

I have a problem trying to overwrite a certificate using NGINX as a Reverse Proxy forwarding all request to an Apache Server with and old certificate (TLS 1.0)

This is the output for my .conf file:

server { listen 80; server_name provision.metrotel.com.ar; return 301 https://provision.metrotel.com.ar$request_uri; } server { listen 443 ssl http2; server_name provision.metrotel.com.ar; ssl_certificate /etc/nginx/certs/metrotel.crt; ssl_certificate_key /etc/nginx/certs/metrotel.key; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error_prov.log; location / { proxy_pass http://prov.metrotel.com.ar/; proxy_ssl_certificate /etc/nginx/certs/metrotel.crt; proxy_ssl_certificate_key /etc/nginx/certs/metrotel.key; } }

http://prov.metrotel.com.ar/ is the server where the website is located, and it has and old certificate. Is there a way to overwrite that cert, using the one I have in my nginx reverse proxy.

I´ve tried several options what I alway get the "NET::ERR_SSL_OBSOLETE_VERSION"

Client Chrome on (172.20.1.4)

Proxy (Nginx on srv-nginx-a.metrotel.local -192.168.151.112)

Backend (prov.metrotel.com.ar) 192.168.59.20

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes 11:50:59.260014 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [S], seq 979144705, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 4], length 0 11:50:59.260165 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [S.], seq 3107298579, ack 979144706, win 29200, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0 11:50:59.260397 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [.], ack 1, win 1825, length 0 11:50:59.282128 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [P.], seq 1:536, ack 1, win 1825, length 535 11:50:59.282204 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [.], ack 536, win 237, length 0 11:50:59.282659 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [P.], seq 1:153, ack 536, win 237, length 152 11:50:59.282869 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [.], ack 153, win 1892, length 0 11:50:59.293101 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [P.], seq 536:587, ack 153, win 1892, length 51 11:50:59.332644 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [.], ack 587, win 237, length 0 11:50:59.332935 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [P.], seq 587:1300, ack 153, win 1892, length 713 11:50:59.332967 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [.], ack 1300, win 248, length 0 11:50:59.333185 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [S], seq 1924765737, win 29200, options [mss 1460,sackOK,TS val 180831520 ecr 0,nop,wscale 7], length 0 11:50:59.333584 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: Flags [S.], seq 4244116336, ack 1924765738, win 5792, options [mss 1460,sackOK,TS val 3558238853 ecr 180831520,nop,wscale 7], length 0 11:50:59.333605 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 180831521 ecr 3558238853], length 0 11:50:59.333639 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [P.], seq 1:757, ack 1, win 229, options [nop,nop,TS val 180831521 ecr 3558238853], length 756: HTTP: GET / HTTP/1.0 11:50:59.333915 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: Flags [.], ack 757, win 58, options [nop,nop,TS val 3558238854 ecr 180831521], length 0 11:50:59.334144 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: Flags [P.], seq 1:520, ack 757, win 58, options [nop,nop,TS val 3558238854 ecr 180831521], length 519: HTTP: HTTP/1.1 302 Found 11:50:59.334157 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [.], ack 520, win 237, options [nop,nop,TS val 180831521 ecr 3558238854], length 0 11:50:59.334169 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: Flags [F.], seq 520, ack 757, win 58, options [nop,nop,TS val 3558238854 ecr 180831521], length 0 11:50:59.334236 IP srv-nginx-a.metrotel.local.53190 > 192.168.59.20.http: Flags [F.], seq 757, ack 521, win 237, options [nop,nop,TS val 180831521 ecr 3558238854], length 0 11:50:59.334272 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [P.], seq 153:1048, ack 1300, win 248, length 895 11:50:59.334438 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53190: Flags [.], ack 758, win 58, options [nop,nop,TS val 3558238854 ecr 180831521], length 0 11:50:59.373720 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [.], ack 1048, win 2004, length 0 11:50:59.407267 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [P.], seq 1300:2013, ack 1048, win 2004, length 713 11:50:59.407531 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [S], seq 3919551832, win 29200, options [mss 1460,sackOK,TS val 180831594 ecr 0,nop,wscale 7], length 0 11:50:59.407867 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [S.], seq 2604868674, ack 3919551833, win 5792, options [mss 1460,sackOK,TS val 3558238928 ecr 180831594,nop,wscale 7], length 0 11:50:59.407897 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [.], ack 1, win 229, options [nop,nop,TS val 180831595 ecr 3558238928], length 0 11:50:59.407950 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [P.], seq 1:757, ack 1, win 229, options [nop,nop,TS val 180831595 ecr 3558238928], length 756: HTTP: GET / HTTP/1.0 11:50:59.408211 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [.], ack 757, win 58, options [nop,nop,TS val 3558238928 ecr 180831595], length 0 11:50:59.408605 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [P.], seq 1:520, ack 757, win 58, options [nop,nop,TS val 3558238928 ecr 180831595], length 519: HTTP: HTTP/1.1 302 Found 11:50:59.408627 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [.], ack 520, win 237, options [nop,nop,TS val 180831596 ecr 3558238928], length 0 11:50:59.408642 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [F.], seq 520, ack 757, win 58, options [nop,nop,TS val 3558238928 ecr 180831595], length 0 11:50:59.408711 IP srv-nginx-a.metrotel.local.53192 > 192.168.59.20.http: Flags [F.], seq 757, ack 521, win 237, options [nop,nop,TS val 180831596 ecr 3558238928], length 0 11:50:59.408748 IP srv-nginx-a.metrotel.local.https > 172.20.1.4.19710: Flags [P.], seq 1048:1943, ack 2013, win 259, length 895 11:50:59.408974 IP 192.168.59.20.http > srv-nginx-a.metrotel.local.53192: Flags [.], ack 758, win 58, options [nop,nop,TS val 3558238929 ecr 180831596], length 0 11:50:59.408994 IP 172.20.1.4.19710 > srv-nginx-a.metrotel.local.https: Flags [.], ack 1943, win 2116, length 0
Improve this question
7
  • It is unclear for me what you are really doing and there is nothing reproducible here (domains don't resolve in DNS). Where exactly you get this error, what URL you are trying to access exactly, with which tool? Also TLS 1.0 is not an old certificate, but an old TLS protocol version. And in your config you don't even access the internal site by HTTPS, just http://... . Commented Aug 11, 2021 at 19:23
  • Steffen, those domains are local domains, they are not accesible from Internet. What I want to do is using a nginx as a proxy to type provision.metrotel.com.ar in my browser, and when nginx reads that URL, it will send it to prov.metrotel.com.ar. My bad on pointing TLS 1.0 as an old certificate, it´s an old protocol, you´re right. I got that error in prov.metrotel.com.ar (the hosting server) Ig I change the proxy_pass to prov.metrotel.com.ar I get the same NET::ERR_SSL_OBSOLETE_VERSION. My question is if there is a way to "overwrite" TLS 1.0 with TLS 1.2 with the proxy Commented Aug 11, 2021 at 19:41
  • "If I change the proxy_pass to prov.metrotel.com.ar I get the same NET::ERR_SSL_OBSOLETE_VERSION." - again, it is not clear where you get this error (client, nginx log ...) and URL and client your are using exactly for testing. The URL used by the client must of course be the one served by nginx (provision...), not the original one served by Apache (prov...). Commented Aug 11, 2021 at 20:17
  • It's not really 'overwriting'. With any proxy, including nginx, there are two different TLS-formerly-SSL connections, one from client (browser etc) to proxy, one from proxy to backend server. These two connections and their properties are completely separate, although the HTTP-level data received on one is forwarded to the other. Can you get a capture with wireshark or similar, preferably on or as near as possible to the proxy (nginx) machine? Commented Aug 12, 2021 at 0:06
  • Hi guys, thanks por your help. Tomorrow I´ll take a debug and post it here. Using TLS 1.2 and TLS 1.3 in the listen 443 ssl, keeps showing the NET::ERR_SSL_OBSOLETE_VERSION. The message that is shown in the browser is sent from the backend Server (prov.metrotel.com.at). It´s the same error in Chrome, Firefox and Opera. I use provision.metrotel.com.ar as the URL in the client, so the redirect is working OK, but I can´t dump the TLS v1.0 and "upgrade" it to TLS v1.2 1.- Client to Proxy is TLS v1.2 2.- Proxy to Backend is TLS v1.0 3.- Client to Backend finally is TLS v1.0 :( Commented Aug 12, 2021 at 3:52

2 Answers 2

Reset to default
1

Try turning on TLS1.2 and 1.3 by adding ssl_protocols TLSv1.2 TLSv1.3; to your server section, like this:

server { listen 80; server_name provision.metrotel.com.ar; return 301 https://provision.metrotel.com.ar$request_uri; ssl_protocols TLSv1.2 TLSv1.3; }
Improve this answer
1
  • In an http (listen 80) server that's not going to do anything. It would only have an effect in the https (listen 443) server, but the default should already include up to 1.2 which should make Chrome happy. Commented Aug 12, 2021 at 0:05
0

On wireshark pcap Connection between Client (Chrome) and Proxy (Nginx) is TLS 1.2. The other part (Nginx-Apache old TLS) is only HTTP. Proxy is working OK, theres "no" connection between Client and Server, proxy is always in the middle.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.