SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:SSL alert

meniem nginx-forum at forum.nginx.org
Thu Nov 5 22:18:38 UTC 2020 

I'm trying to setup Nginx reserve proxy which redirect to a specific host
that requires certificate for proper functionality. But I get this error
when I hit the endpoint from the browser:


    2020/11/05 19:55:21 [error] 6334#6334: *111317 SSL_do_handshake() 
    failed (SSL: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca:SSL alert n$


Here is the nginx configuration file:

    server {
            listen 443 ssl;
            listen [::]:443 ssl;
    
            ssl_certificate /home/ubuntu/appname.com.pem;
            ssl_certificate_key /home/ubuntu/appname.com.key;
    
            server_name appname.com;
    
            ssl_protocols TLSv1.2;
    
            set $target_server targetapp.com:443;
    
            location /api/ {
            rewrite ^/api(/.*) $1 break;
            proxy_pass https://$target_server/$uri$is_args$args;
            proxy_set_header X-Forwarded-Host $server_name;
            proxy_set_header Host appname.com;
            error_log /var/log/nginx/target_server.log debug;
            proxy_set_header Accept-Encoding text/xml;
            proxy_ssl_certificate /home/ubuntu/target_server_client.pem;
            proxy_ssl_certificate_key /home/ubuntu/target_server_key.pem;
            proxy_ssl_trusted_certificate
/home/ubuntu/target_server_CA.pem;
            proxy_ssl_verify off;
            proxy_ssl_verify_depth 1;
            proxy_ssl_server_name on;
            }
    }




I tried to enable/disable both `proxy_ssl_server_name` and
`proxy_ssl_verify`, but both didn't fix the issue.

When I SSH into that server and try the below curl command, I can get the
expected correct response, it's only when try to hit the endpoint from the
browser:


    curl -vv --cert target_server_client.pem --key target_server_key.pem 
--cacert target_server_CA.pem --url https://targetapp.com/api 2>&1|less



I'm not sure what could be the issue, I suspect it would be that the Nginx
proxy is using the IP address instead of host name in the endpoint, that's
why it's giving an SSL verification issue. Because it's working by curl
command propely. I also tried to enable the proxy_ssl_server_name, but
didn't help.

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,289880,289880#msg-289880

More information about the nginx mailing list