Duo Network Gateway - Error 502

Hello Duo Community,

I am trying to setup a Web Application in our DNG but I get a 502 Bad Gateway.

  • DNG version: 1.6.1 with RDP feature enabled.
  • RDP is working fine
  • 2FA SSO works fine.
  • Right after the 2FA thing, I get that 502 Error.
  • Internal server uses a self-signed certificate I uploaded to DNG. That certificate inludes the server’s hostname (zav-mon-central.cameoglobal.local) as CN.
  • When you connect to the website internally, there is something add at the end of the URL.

In the logs, I can see the following:

network-gateway-portal | 2022/02/28 17:36:30 [error] 202#0: *94 upstream SSL certificate verify error: (21:unable to verify the first certificate) while SSL handshaking to upstream, client: 178.51.111.250, server: monitoring.cameoglobal.eu, request: "GET / HTTP/1.1", upstream: "https://10.32.6.240:443/", host: "monitoring.cameoglobal.eu", referrer: "https://■■■■■■■■■■■■■■■■■■■■■■■■■■■■/"

In this line, I do not see any mention to the server’s hostname.

When I look in the log file, the only mention I see is:

network-gateway-admin | 2022-02-28 17:24:10+0000 [admin] Arguments: {"_xsrf": "********************************", "ikey": "■■■■■■■■■■■■■■■■■■■■", "skey": "****************************************", "■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■■", "enable_frameless": "on", "ehost": "monitoring.cameoglobal.eu", "external_host_cert_source": "own", "external_host_cert": "", "external_host_key": "", "allowlist_values": "", "allowlist_ips": "", "ihost": "https://zav-mon-central.cameoglobal.local/", "private_certificate_authority": "on", "internal_host_cert": "", "http_host_header_name": "internal", "ssl_sni_and_cert_name": "internal", "session_duration": "480", "upstream_response_timeout": "180", "client_max_body_size": "128"}

Regards,
Antony

Hello! thanks for reaching out!

This likely means that the DNG doesn’t trust the CA which was used to sign your certificate.

Did you try checking the “I’m using a private certificate authority” box and uploading the full certificate chain? (if it’s a single self-signed certificate, upload upload that certificate)

1 Like

@Sharif_Anani,

You pointed me in the right direction:

  • indeed, we use self-signed certificates
  • I checked the box but I did not include the CA in the certificated I uploaded
  • I changed that now and it works perfectly.

Thank you.

Antony