Solved

SSL Errors 0200107B & 2006D002 in Windows

Posted on 2014-12-29
5
80 Views
Last Modified: 2016-07-14
Hey Guys -

I've been wanting to set up a reverse proxy on my home server for a while.  After reading an article about it the other day, i decided to give it a shot.  The article mentioned using Nginx so that's what I choose.  Even though that's what I'm using, I don't think my issue is Nginx, itself...

There's really no installation as it's a command line tool, so I extracted it, ran it, and it worked.  The only thing I needed to do extra was add SSL support.  That's where the nightmare began.

When I try to start Nginx, I get the below error:
2014/12/29 15:27:20 [emerg] 52308#53176: BIO_new_file("C:
ginx-1.6.2\cert.crt") failed (SSL: error:0200107B:system library:fopen:Unknown error:fopen('C:
ginx-1.6.2\cert.crt','r') error:2006D002:BIO routines:BIO_new_file:system lib)

Open in new window


I then downloaded & installed OpenSSL x32 (even though I use Windows 8.1 x64) and added it's "bin" folder to my path, but it didn't change anything,  I've also made a post on Nginx's forum, but so far I haven't had any luck whatsoever.

When researching, I found out that there's a build of Nginx for Windows so downloaded it.  it also already includes SSL configurations in it's config file instead of me having to manually add them.  I made 3-4 changes to the conf file simply to specify the path/names of my certs.  When I started it, I got the exact same error.

My cert is from GoDaddy and is tied to my home's public domain name.  I also have a hosts entry in my router which forwards all local traffic to my home domain name to the local ip of my server which runs Windows 8.1 x64.  I'm needing SSL as not only do I want to access the reverse proxy via HTTPS, but all the apps I'm forwarding to use SSL and require logins.

Note:  I didn't generate the key file using OpenSSL, but with Windows.  I did this a while back before I know I'd use OpenSSL.  I have used OpenSSL commands to verify that the cert is good, though.

Any ideas?  Thanks!
0
Comment
Question by:BzowK
  • 3
5 Comments
 
LVL 61

Expert Comment

by:gheist
ID: 40522755
You specify cert path incorrectly
C:ginx-1.6.2\cert.crt
Is relative to yopur current directory. Must be like c:/niginx/...
0
 

Author Comment

by:BzowK
ID: 40551339
Finally figured it out, but that wasn't the issue.  Thanks, though.
0
 

Expert Comment

by:gghatore
ID: 41626952
BzowK, what was the solution? I am banging my head on the same issue.
0
 

Accepted Solution

by:
BzowK earned 0 total points
ID: 41700652
Sorry for late reply, but solution was to use Apache 2.4 for Windows.  Below is an overview of what's needed to do so:

1. Download Apache for Windows 2.4.x binaries

2. Unzip into folder (no installation) and ensure system and your user have full rights (Ex: C:\Apache24) - Optionally, add the folder Apache24\bin\ to your system path

3. Launch command prompt as admin then go to your folder, the \bin folder, then run the below string to add a Windows Service to auto start and run Apache

httpd.exe -k install -n "Apache2.4"

Open in new window


4. Note (or configure if there isn't one) a URL base for each service you wish to add to reverse proxy.  
Example: If a default installation of Sonarr is accessable via "http://192.168.0.2:8989" and I configure it to add the URL Base of "/sonarr", once restarted, I would then access it via "http://localhost:8989/sonarr"

5. Edit http.conf to configure for Reverse Proxy

I've pasted an edited version of my current http.conf below.  It currently runs Reverse Proxy, SSL for my custom domain name (Requires editing another conf file and 3rd party cert), and may be accessed on 443 via SSL or port 80 only on my LAN.  I also built somewhat of a personal homepage with links to each service in the root of /htdocs which I see when going to https://mydomain.com.  Due to these extras, not all lines shown in the conf file below are needed if just doing reverse proxy.

Important: The last 15ish lines contain 2 examples of what you'll need to configure per service you wish to add to reverse proxy.  To configure, simply add the same URL Base for the app (made in step #4) to the 1st line, then change the two lines towards the bottom and input the address you currently go to to access the site locally.  You may add HTTP or HTTPS addresses to these spaces, but it's much easier to configure only Apache for SSL instead of all services. Doublt its required, but I put a space in between each Location set and currently have 11 configured.  
Note: If you ever edit http.conf for any reason, you need to restart the Apache service for the changes to go into effect.

ServerRoot "c:/Apache24"
Listen 80
# Modules
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule allowmethods_module modules/mod_allowmethods.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule include_module modules/mod_include.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule proxy_module libexec/httpd/libproxy.so

<IfModule unixd_module>
User daemon
Group daemon
</IfModule>

ServerAdmin your@email.address

<Directory />
    AllowOverride none
    Require all denied
</Directory>

DocumentRoot "c:/Apache24/htdocs"
AccessFileName ht.acl .htaccess

<Directory "c:/Apache24/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted
</Directory>

<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>

ErrorLog "logs/error.log"
LogLevel warn

<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

<IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
    CustomLog "logs/access.log" common
</IfModule>

<IfModule alias_module>
    ScriptAlias /cgi-bin/ "c:/Apache24/cgi-bin/"
</IfModule>

<IfModule cgid_module>
</IfModule>

<Directory "c:/Apache24/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule mime_module>
    TypesConfig conf/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
</IfModule>

<IfModule proxy_html_module>
	Include conf/extra/proxy-html.conf
</IfModule>

Include conf/extra/httpd-ssl.conf

<IfModule ssl_module>
	SSLRandomSeed startup builtin
	SSLRandomSeed connect builtin
</IfModule>

<Location /sonarr>
	order deny,allow
	deny from all
	allow from all
	ProxyPass http://127.0.0.1:8989/sonarr
	ProxyPassReverse http://127.0.0.1:8989/sonarr
</Location>

<Location /urlbase>
	order deny,allow
	deny from all
	allow from all
	ProxyPass http://127.0.0.1:5050/urlbase
	ProxyPassReverse http://127.0.0.1:5050/urlbase
</Location>

Open in new window


Hope this helps someone!  Thanks
0
 

Author Closing Comment

by:BzowK
ID: 41710126
It was what worked...
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

What is an ISAPI filter?   •      It's an assembly (.dll file) that can add or change the way IIS works.   •      They can be enabled globally for your web server or on a site-by-site basis.   When the IIS server receives a request, enabling the ISAPI fi…
#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now