proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

PGNet Dev pgnet.dev at gmail.com
Sat May 30 02:09:45 UTC 2020


 I'm running

	nginx -V
		nginx version: nginx/1.19.0 (pgnd Build)
		built with OpenSSL 1.1.1g  21 Apr 2020
		TLS SNI support enabled
		...

It serves as front-end SSL termination, site host, and reverse-proxy to backend apps.

I'm trying to get a backend app to proxy_ssl_verify the proxy connection to it.

I have two self-signed certs:

One for "TLS Web Client Authentication, E-mail Protection"

	openssl x509 -in test.example.com.client.crt -text | egrep "Subject.*CN|DNS|TLS"
	        Subject: C = US, ST = NY, L = New_York, O = example2.com, OU = myCA, CN = test.example.com, emailAddress = ssl at example2.com
	                TLS Web Client Authentication, E-mail Protection
	                DNS:test.example.com, DNS:www.test.example.com, DNS:localhost

and the other, for "TLS Web Server Authentication"

	openssl x509 -in test.example.com.server.crt -text | egrep "Subject.*CN|DNS|TLS"
	        Subject: C = US, ST = NY, L = New_York, O = example2.com, OU = myCA, CN = test.example.com, emailAddress = ssl at example2.com
	                TLS Web Server Authentication
	                DNS:test.example.com, DNS:www.test.example.com, DNS:localhost

The certs 'match' CN & SAN, differing in "X509v3 Extended Key Usage".

Both are verified "OK" with my local CA cert

	openssl verify -CAfile myCA.crt.pem test.example.com.server.crt
		test.example.com.server.crt: OK

	openssl verify -CAfile /myCA.crt.pem test.example.com.client.crt
		test.example.com.client.crt: OK

My main nginx config includes,

	upstream test.example.com {
		server test.example.com:11111;
	}
	server {

		listen 10.10.10.1:443 ssl http2;
		server_name example.com;
		...

		ssl_verify_client on;
		ssl_client_certificate  "/etc/ssl/nginx/myCA.crt";
		ssl_verify_depth 2;
		ssl_certificate         "/etc/ssl/nginx/example.com.server.crt";
		ssl_certificate_key     "/etc/ssl/nginx/example.com.server.key";
		ssl_trusted_certificate "/etc/ssl/nginx/myCA.crt";

		location /app1 {
			proxy_pass                    https://test.example.com;
			proxy_ssl_certificate         "/etc/ssl/nginx/test.example.com.client.crt";
			proxy_ssl_certificate_key     "/etc/ssl/nginx/test.example.com.client.key";
			proxy_ssl_trusted_certificate "/etc/ssl/nginx/myCA.crt";
			proxy_ssl_verify       on;
			proxy_ssl_verify_depth 2;
			include includes/reverse-proxy.inc;
		}
	}

and the upstream config,

	server {
		listen 127.0.0.1:11111 ssl http2;
		server_name test.example.com;

		root /data/webapps/demo_app/;
		index index.php;
		expires -1;

		ssl_certificate        "/etc/ssl/nginx/test.example.com.server.crt";
		ssl_certificate_key    "/etc/ssl/nginx/test.example.com.server.key";

		ssl_client_certificate "/etc/ssl/nginx/myCA.crt";
		ssl_verify_client optional;
		ssl_verify_depth 2;

		location ~ \.php {
			try_files $uri =404;
			fastcgi_pass   phpfpm;
			fastcgi_index  index.php;
			fastcgi_param  PATH_INFO $fastcgi_script_name;
			include        fastcgi_params;
		}

	}

access to

	https://example.com/app1

responds,

	502 Bad Gateway

logs, show an SSL handshake fail

	...
	2020/05/29 19:00:06 [debug] 29419#29419: *7 SSL: TLSv1.3, cipher: "TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD"
	2020/05/29 19:00:06 [debug] 29419#29419: *7 http upstream ssl handshake: "/app1/?"
	2020/05/29 19:00:06 [debug] 29419#29419: *7 X509_check_host(): no match
	2020/05/29 19:00:06 [error] 29419#29419: *7 upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream, client: 10.10.10.73, server: example.com, request: "GET /app1/ HTTP/2.0", upstream: "https://127.0.0.1:11111/app1/", host: "example.com"
	2020/05/29 19:00:06 [debug] 29419#29419: *7 http next upstream, 2
	...

If I toggle

-		ssl_verify_client on;
+		ssl_verify_client off;

then I'm able to connect to the backend site, as expected.

What exactly is NOT matching in the handshake?  CN & SAN do ...

&/or, is there a config problem above?



More information about the nginx mailing list