Не работает Nginx (не загружает сертификат)
Всем привет. Сегодня весь день пытаюсь поставить nginx для панели управления Remnawave. Но всё время у меня выдаёт ошибку:
nginx: [emerg] cannot load certificate "/etc/ssl/private/[REDACTED]/fullchain.pem": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
Получаю сертификаты я этим скриптом:
#!/bin/bash
set -e
THIS=`readlink -f "${BASH_SOURCE[0]}"`
DIR=`dirname "${THIS}"`
pushd $DIR > /dev/null
TMP1="${THIS%.*}"
TMP2="${TMP1#*.}"
domain="${TMP2#*.}"
echo $domain;
date=`/bin/date +%Y%m%d.%H%M%S`
if [[ ! -f "acme.issue.$domain.done" ]]; then
. ./acme.cf.creds.sh
pushd /root/.acme.sh > /dev/null
mkdir -p /etc/ssl/private/$domain
./acme.sh --issue -d $domain -d '*.'$domain --dns dns_cf --server letsencrypt \
--key-file /etc/ssl/private/$domain/privkey.pem \
--fullchain-file /etc/ssl/private/$domain/fullchain.pem \
--keylength 4096 \
--force
# --debug
popd > /dev/null
echo $date > acme.issue.$domain.done
chown www-data. /etc/ssl/private/$domain/*.pem
fi
popd > /dev/null
Вот nginx.conf:
upstream remnawave {
server remnawave:3000;
}
# Connection header for WebSocket reverse proxy
map $http_upgrade $connection_upgrade {
default upgrade;
"" close;
}
server {
server_name panel.[REDACTED];
listen 443 ssl reuseport;
listen [::]:443 ssl reuseport;
http2 on;
location / {
proxy_http_version 1.1;
proxy_pass http://remnawave;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
# SSL Configuration (Mozilla Intermediate Guidelines)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_certificate "/etc/ssl/private/[REDACTED]/fullchain.pem";
ssl_certificate_key "/etc/ssl/private/[REDACTED]/privkey.pem";
ssl_trusted_certificate "/etc/ssl/private/[REDACTED]/fullchain.pem";
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
resolver_timeout 2s;
# Gzip Compression
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_min_length 256;
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/svg+xml
text/css
text/javascript
text/plain
text/xml;
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name _;
ssl_reject_handshake on;
}
А вот docker-compose.yml:
services:
remnawave-nginx:
image: nginx:1.26
container_name: remnawave-nginx
hostname: remnawave-nginx
volumes:
- ./nginx.conf:/etc/nginx/conf.d/default.conf:rw
- /fullchain.pem:/etc/ssl/private/[REDACTED]/fullchain.pem:ro
- /privkey.pem:/etc/ssl/private/[REDACTED]/pribkey.pem:ro
restart: always
ports:
- '0.0.0.0:443:443'
networks:
- remnawave-network
networks:
remnawave-network:
name: remnawave-network
driver: bridge
external: true
Кстати, а вот и лог Docker Composer:
remnawave-nginx | 2025-08-24T19:08:59.521974717Z /docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
remnawave-nginx | 2025-08-24T19:08:59.522054706Z /docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
remnawave-nginx | 2025-08-24T19:08:59.523763472Z /docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
remnawave-nginx | 2025-08-24T19:08:59.523783656Z 10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
remnawave-nginx | 2025-08-24T19:08:59.541154921Z 10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf differs from the packaged version
remnawave-nginx | 2025-08-24T19:08:59.541207096Z /docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh
remnawave-nginx | 2025-08-24T19:08:59.541229193Z /docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
remnawave-nginx | 2025-08-24T19:08:59.546832368Z /docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
remnawave-nginx | 2025-08-24T19:08:59.546875466Z /docker-entrypoint.sh: Configuration complete; ready for start up
remnawave-nginx | 2025-08-24T19:08:59.553479071Z 2025/08/24 19:08:59 [emerg] 1#1: cannot load certificate "/etc/ssl/private/[REDACTED]/fullchain.pem": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
remnawave-nginx | 2025-08-24T19:08:59.553926888Z nginx: [emerg] cannot load certificate "/etc/ssl/private/[REDACTED]/fullchain.pem": PEM_read_bio_X509_AUX() failed (SSL: error:0480006C:PEM routines::no start line:Expecting: TRUSTED CERTIFICATE)
remnawave-nginx exited with code 1
Дальше идёт только повторение. Я начинающий во всём этом вебе, так что не судите строго. Всем спасибо кто ответит.
Ответы (1 шт):
Автор решения: Alex Wolf
→ Ссылка
Неправильные пути в docker-compose.yml - сертификаты монтируются в корень контейнера
services:
remnawave-nginx:
image: nginx:1.26
container_name: remnawave-nginx
hostname: remnawave-nginx
volumes:
- ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
# Исправленные пути к сертификатам
- /etc/ssl/private/[REDACTED]/fullchain.pem:/etc/ssl/private/[REDACTED]/fullchain.pem:ro
- /etc/ssl/private/[REDACTED]/privkey.pem:/etc/ssl/private/[REDACTED]/privkey.pem:ro
restart: always
ports:
- '0.0.0.0:443:443'
networks:
- remnawave-network
networks:
remnawave-network:
name: remnawave-network
driver: bridge
external: true