1

I have added a certificate in Bluemix, following this post : https://www.ibm.com/blogs/bluemix/2014/09/ssl-certificates-bluemix-custom-domains/

I can see the certificate in the domain tab, and it's the one I have uploaded.

Now I have a container running nginx, because we use it as a reverse proxy. Previously it was handling the SSL configuration, but now that it's done in Bluemix directly, we just want to accept https request, without configuring certificate.

What we did was forwarding the http requests to https, like advised in the post (explaining how to do it for node.js though). We get something like this:

server {
    listen       80;
    server_name *hostname.domain*;
    return 301 https://$http_host$request_uri;
}

And in the 443 part, we only listen, without the ssl part:

server {
    listen       443;

    server_name *host.domain*;

    *other stuff for reverse proxy*
}

However, when trying to access it, I get a generic error in chrome: ERR_SSL_PROTOCOL_ERROR

Firefox gives a bit more information:

An error occurred during a connection to *host.domain*. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

And when I try to check the certificate from command line, I don't get any.

openssl s_client -connect *host.domain*:443
CONNECTED(00000003)
140250419918480:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:782:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1484673167
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

There's no error in nginx logs, and I can't manage to tell if the issue in on Bluemix side, or in the configuration of nginx, or if nginx allows this kind of configuration where it has to handle https requests, without the certificate configuration...

Does someone have any idea?

Many thanks.

Regards.

Karreg
  • 342
  • 1
  • 2
  • 14
  • Looks like a duplicate of http://stackoverflow.com/q/15394904/1072229. If that doesn't work though, you really need to include the "other stuff for reverse proxy" section of your config. – Grisha Levit Jan 17 '17 at 19:11

2 Answers2

0

If you want NGINX to pass-thru SSL, you have to use the stream module.

Faisal Memon
  • 1,047
  • 7
  • 7
0

Thanks for your answers. I was not able to check your solutions, but I talked with a technical expert from IBM meanwhile, and here is what I learned.

About the SSL pass-thru, we would need to configure each component (behind the nginx) to handle the SSL, so it seems to be harder to manage. I'm not an expert though, so I'm just reporting what I had as an answer on that point.

First, what we want should be doable by removing the public IP adress of our nginx container. Then, by creating a route from BM load balancer to our nginx container, we should solve the issue. Then the route would be configured to forward the port 443 to the nginx on port 80 (since the container is not publicly available, there no need to handle 80 AND 443).

However, Bluemix allows route only for container groups (for now?). Unfortunately, we use docker-compose that does not allow (for now?) to create container groups on BlueMix.

So the best solution was to put back the ssl configuration in nginx. The certificate being both on BlueMix domain and nginx container. And it's working fine, so we'll just improve the procedure to update the certificate, and wait until there's a need, or a new way to do it...

K.

Karreg
  • 342
  • 1
  • 2
  • 14