Unable to get local issuer certificate

Hi,

i am new into crowdsec. I´m having issue. Bouncer is not working due:

2024/03/04 00:20:50 [error] 547#547: *28616 [lua] crowdsec.lua:600: Allow(): [Crowdsec] bouncer error: request failed: 20: unable to get local issuer certificate, client: 37.27.14.51, server: domain2.com, request: “POST /inbox HTTP/2.0”, host: “domain2.com

This is my configuration:

It well may be that my configuration is dumb or i didn´t get something correctly.

  • All domains and subdomains are proxied via NPM.
  • In crowdsec console i can see bouncer just okay.
  • I can see alerts in console as well.
  • LAPI endpoint is publicly accessible via https://
  • domain2.com and its subdomains are behind cloudflare proxy

Normally the error means that the container or the processes does not have the rootCA’s installed so it cannot find the local issuer certificate and validate it.

Im pretty sure you have to specify somewhere lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt; but thats if the container has them installed.

Just verify that it doesnt already exist within the nginx configuration files.

Well lua_ssl_trusted_certificate is set directly in lepresidente/nginx_proxy_manager mentioned on your blog.

at

/etc/nginx/conf.d/crowdsec_openresty.conf

and it is set to value:
lua_ssl_trusted_certificate /etc/ssl/certs/ca-cert-GTS_Root_R1.pem;

But this setting seems odd to me…

Seems this was an issue: I changed it to lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
and it looks, like this problem is solved.

1 Like