• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 383
  • Last Modified:

SSL Errors 0200107B & 2006D002 in Windows

Hey Guys -

I've been wanting to set up a reverse proxy on my home server for a while.  After reading an article about it the other day, i decided to give it a shot.  The article mentioned using Nginx so that's what I choose.  Even though that's what I'm using, I don't think my issue is Nginx, itself...

There's really no installation as it's a command line tool, so I extracted it, ran it, and it worked.  The only thing I needed to do extra was add SSL support.  That's where the nightmare began.

When I try to start Nginx, I get the below error:
2014/12/29 15:27:20 [emerg] 52308#53176: BIO_new_file("C:
ginx-1.6.2\cert.crt") failed (SSL: error:0200107B:system library:fopen:Unknown error:fopen('C:
ginx-1.6.2\cert.crt','r') error:2006D002:BIO routines:BIO_new_file:system lib)

Open in new window

I then downloaded & installed OpenSSL x32 (even though I use Windows 8.1 x64) and added it's "bin" folder to my path, but it didn't change anything,  I've also made a post on Nginx's forum, but so far I haven't had any luck whatsoever.

When researching, I found out that there's a build of Nginx for Windows so downloaded it.  it also already includes SSL configurations in it's config file instead of me having to manually add them.  I made 3-4 changes to the conf file simply to specify the path/names of my certs.  When I started it, I got the exact same error.

My cert is from GoDaddy and is tied to my home's public domain name.  I also have a hosts entry in my router which forwards all local traffic to my home domain name to the local ip of my server which runs Windows 8.1 x64.  I'm needing SSL as not only do I want to access the reverse proxy via HTTPS, but all the apps I'm forwarding to use SSL and require logins.

Note:  I didn't generate the key file using OpenSSL, but with Windows.  I did this a while back before I know I'd use OpenSSL.  I have used OpenSSL commands to verify that the cert is good, though.

Any ideas?  Thanks!
  • 3
1 Solution
You specify cert path incorrectly
Is relative to yopur current directory. Must be like c:/niginx/...
BzowKAuthor Commented:
Finally figured it out, but that wasn't the issue.  Thanks, though.
BzowK, what was the solution? I am banging my head on the same issue.
BzowKAuthor Commented:
Sorry for late reply, but solution was to use Apache 2.4 for Windows.  Below is an overview of what's needed to do so:

1. Download Apache for Windows 2.4.x binaries

2. Unzip into folder (no installation) and ensure system and your user have full rights (Ex: C:\Apache24) - Optionally, add the folder Apache24\bin\ to your system path

3. Launch command prompt as admin then go to your folder, the \bin folder, then run the below string to add a Windows Service to auto start and run Apache

httpd.exe -k install -n "Apache2.4"

Open in new window

4. Note (or configure if there isn't one) a URL base for each service you wish to add to reverse proxy.  
Example: If a default installation of Sonarr is accessable via "" and I configure it to add the URL Base of "/sonarr", once restarted, I would then access it via "http://localhost:8989/sonarr"

5. Edit http.conf to configure for Reverse Proxy

I've pasted an edited version of my current http.conf below.  It currently runs Reverse Proxy, SSL for my custom domain name (Requires editing another conf file and 3rd party cert), and may be accessed on 443 via SSL or port 80 only on my LAN.  I also built somewhat of a personal homepage with links to each service in the root of /htdocs which I see when going to https://mydomain.com.  Due to these extras, not all lines shown in the conf file below are needed if just doing reverse proxy.

Important: The last 15ish lines contain 2 examples of what you'll need to configure per service you wish to add to reverse proxy.  To configure, simply add the same URL Base for the app (made in step #4) to the 1st line, then change the two lines towards the bottom and input the address you currently go to to access the site locally.  You may add HTTP or HTTPS addresses to these spaces, but it's much easier to configure only Apache for SSL instead of all services. Doublt its required, but I put a space in between each Location set and currently have 11 configured.  
Note: If you ever edit http.conf for any reason, you need to restart the Apache service for the changes to go into effect.

ServerRoot "c:/Apache24"
Listen 80
# Modules
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule allowmethods_module modules/mod_allowmethods.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule include_module modules/mod_include.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_html_module modules/mod_proxy_html.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule proxy_module libexec/httpd/libproxy.so

<IfModule unixd_module>
User daemon
Group daemon

ServerAdmin your@email.address

<Directory />
    AllowOverride none
    Require all denied

DocumentRoot "c:/Apache24/htdocs"
AccessFileName ht.acl .htaccess

<Directory "c:/Apache24/htdocs">
    Options Indexes FollowSymLinks
    AllowOverride None
    Require all granted

<IfModule dir_module>
    DirectoryIndex index.html

ErrorLog "logs/error.log"
LogLevel warn

<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

<IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    CustomLog "logs/access.log" common

<IfModule alias_module>
    ScriptAlias /cgi-bin/ "c:/Apache24/cgi-bin/"

<IfModule cgid_module>

<Directory "c:/Apache24/cgi-bin">
    AllowOverride None
    Options None
    Require all granted

<IfModule mime_module>
    TypesConfig conf/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz

<IfModule proxy_html_module>
	Include conf/extra/proxy-html.conf

Include conf/extra/httpd-ssl.conf

<IfModule ssl_module>
	SSLRandomSeed startup builtin
	SSLRandomSeed connect builtin

<Location /sonarr>
	order deny,allow
	deny from all
	allow from all

<Location /urlbase>
	order deny,allow
	deny from all
	allow from all

Open in new window

Hope this helps someone!  Thanks
BzowKAuthor Commented:
It was what worked...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now