Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


SSL Errors 0200107B & 2006D002 in Windows

Posted on 2014-12-29
Medium Priority
Last Modified: 2016-07-14
Hey Guys -

I've been wanting to set up a reverse proxy on my home server for a while.  After reading an article about it the other day, i decided to give it a shot.  The article mentioned using Nginx so that's what I choose.  Even though that's what I'm using, I don't think my issue is Nginx, itself...

There's really no installation as it's a command line tool, so I extracted it, ran it, and it worked.  The only thing I needed to do extra was add SSL support.  That's where the nightmare began.

When I try to start Nginx, I get the below error:
2014/12/29 15:27:20 [emerg] 52308#53176: BIO_new_file("C:
ginx-1.6.2\cert.crt") failed (SSL: error:0200107B:system library:fopen:Unknown error:fopen('C:
ginx-1.6.2\cert.crt','r') error:2006D002:BIO routines:BIO_new_file:system lib)

Open in new window

I then downloaded & installed OpenSSL x32 (even though I use Windows 8.1 x64) and added it's "bin" folder to my path, but it didn't change anything,  I've also made a post on Nginx's forum, but so far I haven't had any luck whatsoever.

When researching, I found out that there's a build of Nginx for Windows so downloaded it.  it also already includes SSL configurations in it's config file instead of me having to manually add them.  I made 3-4 changes to the conf file simply to specify the path/names of my certs.  When I started it, I got the exact same error.

My cert is from GoDaddy and is tied to my home's public domain name.  I also have a hosts entry in my router which forwards all local traffic to my home domain name to the local ip of my server which runs Windows 8.1 x64.  I'm needing SSL as not only do I want to access the reverse proxy via HTTPS, but all the apps I'm forwarding to use SSL and require logins.

Note:  I didn't generate the key file using OpenSSL, but with Windows.  I did this a while back before I know I'd use OpenSSL.  I have used OpenSSL commands to verify that the cert is good, though.

Any ideas?  Thanks!
Question by:BzowK
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 62

Expert Comment

ID: 40522755
You specify cert path incorrectly
Is relative to yopur current directory. Must be like c:/niginx/...

Author Comment

ID: 40551339
Finally figured it out, but that wasn't the issue.  Thanks, though.

Expert Comment

ID: 41626952
BzowK, what was the solution? I am banging my head on the same issue.

Accepted Solution

BzowK earned 0 total points
ID: 41700652
Sorry for late reply, but solution was to use Apache 2.4 for Windows.  Below is an overview of what's needed to do so:

1. Download Apache for Windows 2.4.x binaries

2. Unzip into folder (no installation) and ensure system and your user have full rights (Ex: C:\Apache24) - Optionally, add the folder Apache24\bin\ to your system path

3. Launch command prompt as admin then go to your folder, the \bin folder, then run the below string to add a Windows Service to auto start and run Apache

httpd.exe -k install -n "Apache2.4"

Open in new window

4. Note (or configure if there isn't one) a URL base for each service you wish to add to reverse proxy.  
Example: If a default installation of Sonarr is accessable via "" and I configure it to add the URL Base of "/sonarr", once restarted, I would then access it via "http://localhost:8989/sonarr"

5. Edit http.conf to configure for Reverse Proxy

I've pasted an edited version of my current http.conf below.  It currently runs Reverse Proxy, SSL for my custom domain name (Requires editing another conf file and 3rd party cert), and may be accessed on 443 via SSL or port 80 only on my LAN.  I also built somewhat of a personal homepage with links to each service in the root of /htdocs which I see when going to https://mydomain.com.  Due to these extras, not all lines shown in the conf file below are needed if just doing reverse proxy.

Important: The last 15ish lines contain 2 examples of what you'll need to configure per service you wish to add to reverse proxy.  To configure, simply add the same URL Base for the app (made in step #4) to the 1st line, then change the two lines towards the bottom and input the address you currently go to to access the site locally.  You may add HTTP or HTTPS addresses to these spaces, but it's much easier to configure only Apache for SSL instead of all services. Doublt its required, but I put a space in between each Location set and currently have 11 configured.  
Note: If you ever edit http.conf for any reason, you need to restart the Apache service for the changes to go into effect.

ServerRoot "c:/Apache24"
Listen 80
# Modules
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule allowmethods_module modules/mod_allowmethods.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule include_module modules/mod_include.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule proxy_module libexec/httpd/libproxy.so

<IfModule unixd_module>
User daemon
Group daemon

ServerAdmin your@email.address

<Directory />
    AllowOverride none
    Require all denied

DocumentRoot "c:/Apache24/htdocs"
AccessFileName ht.acl .htaccess

<Directory "c:/Apache24/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted

<IfModule dir_module>
    DirectoryIndex index.html

ErrorLog "logs/error.log"
LogLevel warn

<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

<IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    CustomLog "logs/access.log" common

<IfModule alias_module>
    ScriptAlias /cgi-bin/ "c:/Apache24/cgi-bin/"

<IfModule cgid_module>

<Directory "c:/Apache24/cgi-bin">
    AllowOverride None
    Options None
    Require all granted

<IfModule mime_module>
    TypesConfig conf/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz

<IfModule proxy_html_module>
	Include conf/extra/proxy-html.conf

Include conf/extra/httpd-ssl.conf

<IfModule ssl_module>
	SSLRandomSeed startup builtin
	SSLRandomSeed connect builtin

<Location /sonarr>
	order deny,allow
	deny from all
	allow from all

<Location /urlbase>
	order deny,allow
	deny from all
	allow from all

Open in new window

Hope this helps someone!  Thanks

Author Closing Comment

ID: 41710126
It was what worked...

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question