3

I was trying to use the HTTP3 feature in Nginx. I referred to this post (Binary Packages Now Available for the Preview NGINX QUIC+HTTP/3 Implementation) to implement Nginx server with HTTP3 feature. And my Nginx config is like the following ( almost default ).

server {
    listen       80;
    server_name  localhost;

    # for better compatibility it's recommended
    # to use the same port for quic and https
    listen 443 http3 reuseport;
    listen 443 ssl;
    ssl_certificate     certs/localhost.crt;
    ssl_certificate_key certs/localhost.key;
    ssl_protocols       TLSv1.3;

    #access_log  /var/log/nginx/host.access.log  main;


    location / {
        # required for browsers to direct them into quic port
        add_header Alt-Svc 'h3=":8443"; ma=86400';
        add_header X-protocol $server_protocol always;
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

I created the self-singed SSL certificate and apply it. This self-singed SSL certificate is created by the following.

$ openssl genpkey -algorithm RSA -out localhost.key
$ openssl req -new -key localhost.key -out localhost.csr -subj "/CN=localhost" -addext "subjectAltName=DNS:localhost"
$ openssl x509 -req -in localhost.csr -signkey localhost.key -out localhost.crt

Then, I created a pem file for it by the below command and distribute it to directories for curl.

$ cat localhost.crt localhost.key > localhost.pem
$ cp localhost.pem /usr/local/share/ca-certificates/
$ cp localhost.pem /etc/ssl/certs/
sudo update-ca-certificates

All of the above processes completed, I tried to access the Nginx server via curl, then, I got an error with the message below.

$ curl -IL https://localhost/
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Updated: 20230212 14:00

I can make curl trust the localhost domain by processing the following.

cp localhost.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

# Discard unnecessary files
rm /usr/local/share/ca-certificates/localhost.pem
rm /etc/ssl/certs/localhost.pem
rm localhost.pem

Updated: 20230212 11:00

I know curl can't access through HTTP3 without the special addon, but I wonder why I got an error message showing the certificate is not trusted even though the pem file is set to the Root cert path for curl.

I also accessed this Nginx server via Chrome. However, it seems not to be applied HTTP3 protocol.

enter image description here

Updated: 20230212 11:00

I found the response header for HTTP3 has been set correctly, however, the actual protocol of connection Chrome showed me is HTTP 1.1, not HTTP3. I guess it might not work fine.

The OS version I'm using is the following. I established this env by using Docker image ubuntu:latest.

$ cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.1 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

I would really appreciate it if anyone could help me. Thank you.

Improve this question
7
  • 1
    These are two questions in one. The problem with curl is because the certificate is not trusted, use -k to ignore this problem (testing only, never production!). Commented Feb 11, 2023 at 11:37
  • As for your second problem, I cite from the text on the website you linked: "The QUIC+HTTP/3 implementation is working correctly if NGINX includes the Alt-Svc header discussed above in its response to the browser’s initial HTTP request over TCP." In your screenshot, the Alt-Svc header is present. So all is working fine. Commented Feb 11, 2023 at 17:07
  • @SteffenUllrich Thank you for your answer! But I wonder why curl showed a certificate error message even though I set the pem file as a Root cert for curl. Commented Feb 12, 2023 at 1:28
  • @Xaver Thank you for your answer! I found the response header for HTTP3 has been set correctly, however, the actual protocol of connection Chrome showed me is HTTP 1.1, not HTTP3. I guess it might not work fine. Commented Feb 12, 2023 at 1:30
  • 1
    No "the pem file is NOT set ... for curl". Putting a file named with suffix '.pem' in /usr/local/share/ca-certificates doesn't work; read the man page for update-ca-certificates. Putting a privatekey anywhere in the truststore is wrong. And directly changing /etc/ssl/certs is wrong when you use the package, as you did and should, and even if you wanted to change the OpenSSL "CApath" manually, which you shouldn't, the file must be renamed using a truncated hash of the canonicalized subject and a counter, as documented. Commented Feb 12, 2023 at 4:20

2 Answers 2

Reset to default
1

I found that my Nginx server has already been applied with HTTP3 correctly. I realized it when I executed the curl command with QUIC via this Docker image (rmarx/curl-http3Z), with -k option to ignore the SSL Certificate error.

# 172.21.0.3 is the IP of the server of Nginx with HTTP3
$ curl -IL https://172.21.0.3 -k --http3
HTTP/3 200
server: nginx/1.23.4
date: Sun, 12 Feb 2023 05:23:35 GMT
content-type: text/html
content-length: 615
last-modified: Tue, 31 Jan 2023 11:26:33 GMT
etag: "63d8fae9-267"
alt-svc: h3=":8443"; ma=86400
x-protocol: HTTP/3.0
accept-ranges: bytes

I really appreciate your kindness!

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I think we've met similar issue.

I pulled latest nginx docker image which is a pre-built http3 supported nginx. I referred to nginx.org document and edited nginx.conf. Finally, opened Chromium, installed a HTTP Indicator extension and visited a local website.

Unfortunately, it's HTTP1.1 and in access.log showed HTTP1.1 too.

To my surprise, if i open the website with Firefox, it is HTTP3!

Then i tested all browsers I had. It turns out all browsers with Chromium kernel can not use HTTP3, only Firefox supported on Windows,Linux and Android.

It suggests there maybe some compatibility issue with nginx and Chromium based browsers.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.