SSL Errors 0200107B & 2006D002 in Windows

Posted on 2014-12-29
Last Modified: 2016-07-14
Hey Guys -

I've been wanting to set up a reverse proxy on my home server for a while.  After reading an article about it the other day, i decided to give it a shot.  The article mentioned using Nginx so that's what I choose.  Even though that's what I'm using, I don't think my issue is Nginx, itself...

There's really no installation as it's a command line tool, so I extracted it, ran it, and it worked.  The only thing I needed to do extra was add SSL support.  That's where the nightmare began.

When I try to start Nginx, I get the below error:
2014/12/29 15:27:20 [emerg] 52308#53176: BIO_new_file("C:
ginx-1.6.2\cert.crt") failed (SSL: error:0200107B:system library:fopen:Unknown error:fopen('C:
ginx-1.6.2\cert.crt','r') error:2006D002:BIO routines:BIO_new_file:system lib)

Open in new window

I then downloaded & installed OpenSSL x32 (even though I use Windows 8.1 x64) and added it's "bin" folder to my path, but it didn't change anything,  I've also made a post on Nginx's forum, but so far I haven't had any luck whatsoever.

When researching, I found out that there's a build of Nginx for Windows so downloaded it.  it also already includes SSL configurations in it's config file instead of me having to manually add them.  I made 3-4 changes to the conf file simply to specify the path/names of my certs.  When I started it, I got the exact same error.

My cert is from GoDaddy and is tied to my home's public domain name.  I also have a hosts entry in my router which forwards all local traffic to my home domain name to the local ip of my server which runs Windows 8.1 x64.  I'm needing SSL as not only do I want to access the reverse proxy via HTTPS, but all the apps I'm forwarding to use SSL and require logins.

Note:  I didn't generate the key file using OpenSSL, but with Windows.  I did this a while back before I know I'd use OpenSSL.  I have used OpenSSL commands to verify that the cert is good, though.

Any ideas?  Thanks!
Question by:BzowK
  • 3
LVL 61

Expert Comment

ID: 40522755
You specify cert path incorrectly
Is relative to yopur current directory. Must be like c:/niginx/...

Author Comment

ID: 40551339
Finally figured it out, but that wasn't the issue.  Thanks, though.

Expert Comment

ID: 41626952
BzowK, what was the solution? I am banging my head on the same issue.

Accepted Solution

BzowK earned 0 total points
ID: 41700652
Sorry for late reply, but solution was to use Apache 2.4 for Windows.  Below is an overview of what's needed to do so:

1. Download Apache for Windows 2.4.x binaries

2. Unzip into folder (no installation) and ensure system and your user have full rights (Ex: C:\Apache24) - Optionally, add the folder Apache24\bin\ to your system path

3. Launch command prompt as admin then go to your folder, the \bin folder, then run the below string to add a Windows Service to auto start and run Apache

httpd.exe -k install -n "Apache2.4"

Open in new window

4. Note (or configure if there isn't one) a URL base for each service you wish to add to reverse proxy.  
Example: If a default installation of Sonarr is accessable via "" and I configure it to add the URL Base of "/sonarr", once restarted, I would then access it via "http://localhost:8989/sonarr"

5. Edit http.conf to configure for Reverse Proxy

I've pasted an edited version of my current http.conf below.  It currently runs Reverse Proxy, SSL for my custom domain name (Requires editing another conf file and 3rd party cert), and may be accessed on 443 via SSL or port 80 only on my LAN.  I also built somewhat of a personal homepage with links to each service in the root of /htdocs which I see when going to  Due to these extras, not all lines shown in the conf file below are needed if just doing reverse proxy.

Important: The last 15ish lines contain 2 examples of what you'll need to configure per service you wish to add to reverse proxy.  To configure, simply add the same URL Base for the app (made in step #4) to the 1st line, then change the two lines towards the bottom and input the address you currently go to to access the site locally.  You may add HTTP or HTTPS addresses to these spaces, but it's much easier to configure only Apache for SSL instead of all services. Doublt its required, but I put a space in between each Location set and currently have 11 configured.  
Note: If you ever edit http.conf for any reason, you need to restart the Apache service for the changes to go into effect.

ServerRoot "c:/Apache24"
Listen 80
# Modules
LoadModule access_compat_module modules/
LoadModule actions_module modules/
LoadModule alias_module modules/
LoadModule allowmethods_module modules/
LoadModule asis_module modules/
LoadModule auth_basic_module modules/
LoadModule authn_core_module modules/
LoadModule authn_file_module modules/
LoadModule authz_core_module modules/
LoadModule authz_groupfile_module modules/
LoadModule authz_host_module modules/
LoadModule authz_user_module modules/
LoadModule autoindex_module modules/
LoadModule cgi_module modules/
LoadModule dir_module modules/
LoadModule env_module modules/
LoadModule headers_module modules/
LoadModule include_module modules/
LoadModule isapi_module modules/
LoadModule log_config_module modules/
LoadModule mime_module modules/
LoadModule negotiation_module modules/
LoadModule proxy_module modules/
LoadModule proxy_html_module modules/
LoadModule proxy_http_module modules/
LoadModule rewrite_module modules/
LoadModule setenvif_module modules/
LoadModule socache_shmcb_module modules/
LoadModule ssl_module modules/
LoadModule proxy_module libexec/httpd/

<IfModule unixd_module>
User daemon
Group daemon

ServerAdmin your@email.address

<Directory />
    AllowOverride none
    Require all denied

DocumentRoot "c:/Apache24/htdocs"
AccessFileName ht.acl .htaccess

<Directory "c:/Apache24/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted

<IfModule dir_module>
    DirectoryIndex index.html

ErrorLog "logs/error.log"
LogLevel warn

<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

<IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    CustomLog "logs/access.log" common

<IfModule alias_module>
    ScriptAlias /cgi-bin/ "c:/Apache24/cgi-bin/"

<IfModule cgid_module>

<Directory "c:/Apache24/cgi-bin">
    AllowOverride None
    Options None
    Require all granted

<IfModule mime_module>
    TypesConfig conf/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz

<IfModule proxy_html_module>
	Include conf/extra/proxy-html.conf

Include conf/extra/httpd-ssl.conf

<IfModule ssl_module>
	SSLRandomSeed startup builtin
	SSLRandomSeed connect builtin

<Location /sonarr>
	order deny,allow
	deny from all
	allow from all

<Location /urlbase>
	order deny,allow
	deny from all
	allow from all

Open in new window

Hope this helps someone!  Thanks

Author Closing Comment

ID: 41710126
It was what worked...

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Running classic asp applications under Windows Server 2008 R2 (x64) and IIS 7 is not as easy as one may think. It took me a while to figure it out while getting error 8002801d a few times. After you install the OS you will need to install the fol…
If you've heard about htaccess and it sounds like it does what you want, but you're not sure how it works... well, you're in the right place. Read on. Some Basics #1. It's a file and its filename is .htaccess (yes, with a dot in the front). #…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now