Why is NGINX throwing `cannot load certificate "data:": PEM_read_bio_X509_AUX() Expecting: TRUSTED CERTIFICATE`?

Question

I am attempting to setup a local HTTPS development environment using Django-Cookiecutter with docker. I followed the documentation to a tee using mkcert; however, I realized that additional NGINX configuration was necessary to get .pem files to work. After configuring what I believe to be the right settings, I am now encountering the following error from NGINX:

nginx.1     | 2023/05/24 20:56:23 [error] 37#37: *1 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:443
nginx.1     | 2023/05/24 20:56:23 [error] 42#42: *2 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:443
nginx.1     | 2023/05/24 20:56:23 [error] 40#40: *3 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:443
nginx.1     | 2023/05/24 20:56:23 [error] 39#39: *4 cannot load certificate "data:": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE) while SSL handshaking, client: 172.19.0.1, server: 0.0.0.0:443

I have spent the better part of 10 hours trying to figure out how to fix this issue and have reached the point of spinning my wheels. Every suggestion I've tried from others has resulting in no change of my issue and I've exhaused what I believe to be relevant topics.

The things I've tried so far (non-exhaustive):

• Recreated the cert/key files countless times
• Installed and re-installed mkcert countless times
• Rebuilt my docker compose countless times
• Edited, simplified, tested too many NGINX configs to count
• Started from scratch with a blank project

Here are the relevant portions of the project:

nginx.conf (current config)

server {
    listen 80;
    server_name localhost;
    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443 ssl;
    server_name localhost;

    ssl_certificate /etc/nginx/certs/localhost.pem;
    ssl_certificate_key /etc/nginx/certs/localhost-key.pem;

    location / {
        proxy_pass http://django:8000;   # name of django docker container
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Note: This was added due to NGINX not automatically accepting *.pem files from mkcert.

docker-compose.yml (nginx portion)

  nginx:
    build:
      context: .
      dockerfile: ./compose/local/nginx/Dockerfile
    container_name: local_nginx
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - ./certs:/etc/nginx/certs
    depends_on:
      - django

Note: django is my Django app. It works. I can reach it at localhost:8000 without issue and can curl it from the nginx container without issue.

./compose/local/nginx/Dockerfile

FROM jwilder/nginx-proxy:latest

RUN rm /etc/nginx/conf.d/default.conf
COPY ./compose/local/nginx/nginx.conf /etc/nginx/conf.d

Note: This was added due to NGINX not automatically accepting *.pem files from mkcert.

openssl x509 -text -noout -in localhost.pem

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            99:0c:b3:f7:2a:8b:f9:f7:0f:90:69:8f:63:4c:2a:7f
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = mkcert development CA, OU = dakotahorstman@dur10469-ubuntu (Dakota Horstman), CN = mkcert dakotahorstman@dur10469-ubuntu (Dakota Horstman)
        Validity
            Not Before: May 24 20:52:44 2023 GMT
            Not After : Aug 24 20:52:44 2025 GMT
        Subject: O = mkcert development certificate, OU = dakotahorstman@dur10469-ubuntu (Dakota Horstman)
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:e7:d7:17:b3:a9:0e:a1:b0:57:68:32:06:71:7a:
                    c8:e1:c0:ec:1a:eb:8c:08:bd:12:ea:39:94:f9:8e:
                    12:85:45:7b:4a:e2:2b:80:17:b2:7d:b1:4b:75:1c:
                    da:42:3d:e3:0a:9e:8d:ca:61:c5:f1:fd:26:86:d4:
                    4e:79:c3:0e:7f:f5:ab:76:44:ac:12:16:0b:36:56:
                    7a:be:be:31:e3:68:cc:47:4e:18:75:4f:36:da:d1:
                    d6:50:a7:83:7d:4f:fe:60:c1:15:64:71:c4:a9:4d:
                    b1:74:d5:c5:51:20:9e:38:39:24:46:5b:6c:45:c3:
                    8e:71:e2:5b:e7:92:f6:0e:42:34:33:f4:e6:36:22:
                    c0:e2:fd:05:26:75:51:4a:13:23:a1:21:11:b1:88:
                    14:80:7a:56:70:81:aa:34:97:42:e7:cb:be:7d:e4:
                    69:cc:a9:e5:ec:42:2e:0b:6c:a9:d1:57:d8:5b:70:
                    9c:55:46:d0:bc:01:06:97:a2:15:e3:22:0c:32:67:
                    f0:99:64:a3:6f:41:33:da:ca:a4:c6:d7:09:a8:a8:
                    2c:26:45:88:09:e6:9f:4b:88:12:ca:de:6a:96:49:
                    29:49:c4:e0:45:f0:35:e9:de:c8:9b:c7:30:de:8a:
                    e0:fa:9b:fb:6e:e9:ee:60:78:06:7a:16:e7:6c:6a:
                    13:c3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Authority Key Identifier: 
                keyid:AB:28:4B:C0:36:99:06:7A:D5:FF:CA:EC:83:C6:1D:F3:B6:85:3F:17

            X509v3 Subject Alternative Name: 
                DNS:localhost, IP Address:127.0.0.1
    Signature Algorithm: sha256WithRSAEncryption
         a5:12:82:ec:25:0b:e5:b5:99:dc:a6:60:a1:5c:f8:03:19:70:
         41:10:0d:b8:04:ac:c8:be:7a:d5:b1:23:ce:db:06:0d:1e:98:
         31:01:09:f4:00:5d:25:04:00:6c:c2:da:56:3b:f4:f4:5e:88:
         4a:26:61:12:9c:34:74:22:b6:27:82:f9:39:35:cd:94:e1:c9:
         a4:60:20:f1:d9:87:cb:4e:38:7b:9a:70:7d:82:48:7b:3c:ca:
         38:e9:e7:e4:c0:89:73:a0:26:34:61:4d:12:90:f2:3a:ba:dd:
         49:3b:cd:75:cb:0d:84:63:0e:4c:09:fe:b6:3b:5e:ea:2d:1d:
         a4:04:63:9e:d4:e3:a8:d7:ee:ed:aa:90:9f:bc:26:fe:e3:49:
         34:54:4d:82:a6:d2:c2:0c:ca:89:fd:b1:5b:62:4b:f0:c5:cb:
         21:09:96:c4:55:88:17:7a:cb:53:ae:e8:83:18:a3:14:1c:87:
         2d:7d:72:34:17:04:55:c6:cc:99:5a:92:88:fc:06:bf:08:6b:
         b5:49:60:44:03:44:6b:7f:bc:7e:a1:b9:ec:aa:ef:e1:88:47:
         3d:76:f0:c2:04:53:d0:57:32:f1:a5:5d:ac:53:e6:e8:a4:a4:
         7f:2e:5b:bd:cd:d2:3c:c9:9f:ec:32:36:11:c1:b9:ba:a5:2f:
         17:93:69:7e:bf:47:ae:74:2a:40:de:48:7f:f8:96:ce:de:72:
         1d:28:27:64:7e:eb:e7:c4:44:77:01:82:6e:93:a2:a8:d3:89:
         e7:8b:0a:6f:c5:a5:23:a1:a4:82:59:2f:63:6a:12:c6:50:80:
         88:11:fb:38:e9:36:45:10:b9:6c:ba:c3:df:76:5e:fb:3d:c4:
         05:67:62:45:3b:21:be:7b:5b:ee:e9:9c:4e:02:fd:03:5d:95:
         6f:de:8e:e2:eb:93:b3:cb:90:ff:06:97:a3:1b:2a:5a:34:b3:
         4d:de:ed:2e:01:ae:fc:88:9d:bf:37:98:78:40:56:a5:c9:98:
         ad:45:e8:85:7d:19

openssl rsa -in localhost-key.pem -check

RSA key ok
writing RSA key
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

Chrome Webpage

Answer 1

For whatever reason, the jwilder/nginx-proxy:latest image does NOT work, whereas the nginx image does. Without any changes to any other files, simply changing the Dockerfile to the below works.

FROM nginx

RUN rm /etc/nginx/conf.d/default.conf
COPY ./compose/local/nginx/nginx.conf /etc/nginx/conf.d