So what’s up?
Well, in short, probably nginx is barfing because it doesn’t like this part of the transaction:<\/p>\n\n\n\n
- The browser requests www.yoursite.com<\/li>
- Nginx takes that request and slaps your TLS certificate on it, branding it as Good To Go. Browser’s happy.<\/li>
- Nginx goes off to the Upstream Server and IMMEDIATELY DIES because it doesn’t like the invalid or self-signed certificates. It could<\/em> handle the TLS connection, encrypting everything, but it barfs on the cert.<\/li><\/ol>\n\n\n\n
<\/p>\n\n\n\n
So what do you do? Well, you can either:<\/p>\n\n\n\n
- Make the Upstream link HTTP only. This gets around the problem, but it does mean you expose the pageviews, the password, all that, to anything that can see the traffic locally. Which may be more than you want.<\/li>
- Somehow get the TLS certificate into OPNsense so you can pick that cert. I didn’t figure out how to do that.<\/li>
- Turn off TLS cert verification, so nginx just accepts the cert it’s given. This is the one I did.<\/li><\/ol>\n\n\n\n
Some caveats:<\/p>\n\n\n\n
You had better only do this if you’re damned certain you own that server and it’s on your local network. No funny business having it elsewhere or out of your constant control; if anybody sticks a different server at that same IP, it’ll get accepted, and then it’ll look like the real site. YOU HAVE TO BE CAREFUL HERE. If you don’t know what you’re changing and why, you can get really<\/em> screwed here.<\/p>\n\n\n\n
What’s this doing? Well, nginx is handing the TLS cert to the browser, so it’s happy, but then when it connects to the actual WordPress server or what have you, it gets a cert it then wants to verify is good. If it’s invalid, dead, expired, or self-signed, that can’t happen since there’s no Certificate Authority that issued it that nginx recognizes, so it fails. Unless you turn off verification, that is. If you do, it looks at the invalid cert and goes “eyeah, that’s fine I guess” and sets up the encrypted session without bothering to check. Kind of like when your sister smiles sweetly and flashes a fake ID at the club, and the bouncer figures she’s in that butter zone between 18 and 21 and lets her in because she’s cute and might like bouncers.<\/p>\n\n\n\n
She doesn’t, but she likes that bouncers think she does. And so it’s the same with your WordPress server.<\/p>\n\n\n\n
So how is this accomplished?
1. Go here:<\/p>\n\n\n\n![\"\"](\"https:\/\/nuclearwaffle.com\/wp-content\/uploads\/2022\/05\/image.png\")
<\/figure>\n\n\n\n2. Edit your entry, and click Advanced.<\/p>\n\n\n\n
![\"\"](\"https:\/\/nuclearwaffle.com\/wp-content\/uploads\/2022\/05\/image-1.png\")
<\/figure>\n\n\n\n3. Turn this off, TAKING HEED OF THE VERY DIRE WARNING:<\/p>\n\n\n\n
![\"\"](\"https:\/\/nuclearwaffle.com\/wp-content\/uploads\/2022\/05\/image-2.png\")
<\/figure>\n\n\n\n4. Test your site again. If it works, it was a TLS problem, and was due to nginx not liking the certificate.<\/p>\n\n\n\n
Now if you’re very smart you get that cert put into OPNsense so nginx can look for it, and barf again if there’s a problem with it. This is the safe option. If you’re lazy and you are running a beater WordPress instance to write shit down for the inevitable configuration explosion where you have to redo half of half of the stuff you actually gave a shit about? Well, then you leave it as is, and fuckin’ send it.<\/p>\n","protected":false},"excerpt":{"rendered":"
Right, so your configuration might look like this: You have a site you’ve built up haphazardly and it’s got invalid or self-signed certificates. You have OPNsense and nginx, running together. You’ve followed this guide to the letter and now you’re getting 502 errors because you also managed to put port forwards to the nginx client,…<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-27","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.nuclearwaffle.com\/index.php?rest_route=\/wp\/v2\/posts\/27","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nuclearwaffle.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nuclearwaffle.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nuclearwaffle.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nuclearwaffle.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=27"}],"version-history":[{"count":7,"href":"https:\/\/www.nuclearwaffle.com\/index.php?rest_route=\/wp\/v2\/posts\/27\/revisions"}],"predecessor-version":[{"id":39,"href":"https:\/\/www.nuclearwaffle.com\/index.php?rest_route=\/wp\/v2\/posts\/27\/revisions\/39"}],"wp:attachment":[{"href":"https:\/\/www.nuclearwaffle.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=27"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nuclearwaffle.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=27"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nuclearwaffle.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=27"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}