proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

PGNet Dev pgnet.dev at gmail.com
Tue Jun 2 19:10:45 UTC 2020 

On 6/2/20 8:27 AM, Francis Daly wrote:
> That suggests that if you choose to use "proxy_ssl_server_name on;",
> then you almost certainly do not want to add your own "proxy_set_header
> Host" value.
> 
> The nginx code probably should not try to check for (and reject) that
> combination of directives-and-values; but might it be worth adding a
> note to http://nginx.org/r/proxy_ssl_server_name to say that that other
> directive is probably a bad idea, especially if you get a http 421 response
> from your upstream?

trying to simplify/repeat, i've

vhost config,

	upstream test-upstream {
		server test.example.com:11111;
	}

	server {
		listen 10.10.10.1:443 ssl http2;
		server_name example.com;

		...
		location /app1 {

			proxy_ssl_verify       on;
			proxy_ssl_verify_depth 2;
			proxy_ssl_certificate         "/etc/ssl/nginx/test.client.crt";
			proxy_ssl_certificate_key     "/etc/ssl/nginx/test.client.key";
			proxy_ssl_trusted_certificate "/etc/ssl/nginx/ca_int.crt";

			proxy_pass https://test-upstream/;
			proxy_ssl_server_name on;
			proxy_ssl_name test.example.com;

		}
	}

and, upstream config

		server {
			listen 127.0.0.1:11111 ssl http2;
			server_name test.example.com;

			root /srv/www/test;
			index index.php;
			expires -1;

			ssl_certificate         "/etc/ssl/nginx/test.server.crt";
			ssl_certificate_key     "/etc/ssl/nginx/test.server.key";
			ssl_trusted_certificate "/etc/ssl/nginx/ca_int.crt";

			ssl_verify_client off;
			ssl_verify_depth 2;
			ssl_client_certificate  "/etc/ssl/nginx/ca_int.crt";

			location ~ \.php {
				try_files $uri =404;
				fastcgi_pass   phpfpm;
				fastcgi_index  index.php;
				fastcgi_param  PATH_INFO $fastcgi_script_name;
				include        includes/fastcgi/fastcgi_params;
			}

			error_log   /var/log/nginx/test.error.log  info;
		}

on access to

	https://example.com/app1

still get

	421 Misdirected Request

in log

	==> /var/log/nginx/test.error.log <==
	2020/06/02 11:52:13 [info] 8713#8713: *18 client attempted to request the server name different from the one that was negotiated while reading client request headers, client: 127.0.0.1, server: test.example.com, request: "GET / HTTP/1.0", host: "test-upstream"

Is that

	host: "test-upstream"

to be expected?  it's an upstream name, not an actual host.

Still unable to wrap my head around where this mis-match is coming from ... I have a nagging suspicion I'm missing something *really* obvious :-/

More information about the nginx mailing list