Error: peer certificate cannot be authenticated with given ca certificates NGINX, TOMCAT 8 and GOGS with CA certificate

Question

I'm trying to configure a VPS on Ubuntu Server 18.04 which I hace installed GOGS, JENKINS and TOMCAT. With Nginx, I only allow to make https requests but when I make from Insomnia to an api web service deployed in Tomcat I'm getting the message "peer certificate cannot be authenticated with given ca certificates ". It's the same message as when I push a commit in a Gogs repository. The ssl certificate is signed by a CA. I don't know what's going on, but I share the Nginx and Gogs configuration to get started.

Nginx config:

upstream tomcat {
    server 127.0.0.1:8081 weight=100 max_fails=5 fail_timeout=5;
}

server {
    listen 443 ssl;
    server_name serverName;

    ssl_certificate /etc/nginx/ssl/certificate.crt;
    ssl_certificate_key /etc/nginx/ssl/certificate.key;

    root /var/www;
    index index.php;

    # TOMCAT8
    location /manager {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://tomcat/manager;
    }
    location /test {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://tomcat/test;
    }
    location ~ \.jsp$ {
       proxy_pass http://127.0.0.1:8081;
       proxy_set_header Host $host;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_set_header X-Server-Proto $server_protocol;
    }

    # GOGS
    location /gogs/ {
        # Proxy headers
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;

        # Log files
        access_log /var/log/nginx/gogs.access.log;
        error_log /var/log/nginx/gogs.error.log;

        # Redirect
        proxy_pass http://localhost:3000/;
    }
}

Gogs server config:

[server]
DOMAIN           = localhost
HTTP_PORT        = 3000
ROOT_URL         = https://serverName/gogs/
DISABLE_SSH      = false
SSH_PORT         = 22
START_SSH_SERVER = false
OFFLINE_MODE     = false

Answer 1

After a week, I found the solution to my issue. The error was that the certificate.crt file didn't have the CA signature concatenated.

I didn't know, but for Nginx, it's required to have all the certificates combined in a single file. The certificate for the domain (* .crt) must be listed first in the file, followed by the chain of CA certificates (* .ca-bundle). I only put the certificate for my domain (* .ctr) and so, the CA authority was not found.

I've made it work by concatenating the two certificates into one with the following linux command:

cat certificate.ca-bundle >> certificate.crt