proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Tue Jun 2 19:34:23 UTC 2020

Hello!

On Tue, Jun 02, 2020 at 12:10:45PM -0700, PGNet Dev wrote:

> On 6/2/20 8:27 AM, Francis Daly wrote:
> > That suggests that if you choose to use "proxy_ssl_server_name on;",
> > then you almost certainly do not want to add your own "proxy_set_header
> > Host" value.
> > 
> > The nginx code probably should not try to check for (and reject) that
> > combination of directives-and-values; but might it be worth adding a
> > note to http://nginx.org/r/proxy_ssl_server_name to say that that other
> > directive is probably a bad idea, especially if you get a http 421 response
> > from your upstream?
> 
> trying to simplify/repeat, i've
> 
> vhost config,
> 
> 	upstream test-upstream {
> 		server test.example.com:11111;
> 	}
> 
> 	server {
> 		listen 10.10.10.1:443 ssl http2;
> 		server_name example.com;
> 
> 		...
> 		location /app1 {
> 
> 			proxy_ssl_verify       on;
> 			proxy_ssl_verify_depth 2;
> 			proxy_ssl_certificate         "/etc/ssl/nginx/test.client.crt";
> 			proxy_ssl_certificate_key     "/etc/ssl/nginx/test.client.key";
> 			proxy_ssl_trusted_certificate "/etc/ssl/nginx/ca_int.crt";
> 
> 			proxy_pass https://test-upstream/;
> 			proxy_ssl_server_name on;
> 			proxy_ssl_name test.example.com;
> 
> 		}
> 	}
> 
> and, upstream config
> 
> 		server {
> 			listen 127.0.0.1:11111 ssl http2;
> 			server_name test.example.com;
> 
> 			root /srv/www/test;
> 			index index.php;
> 			expires -1;
> 
> 			ssl_certificate         "/etc/ssl/nginx/test.server.crt";
> 			ssl_certificate_key     "/etc/ssl/nginx/test.server.key";
> 			ssl_trusted_certificate "/etc/ssl/nginx/ca_int.crt";
> 
> 			ssl_verify_client off;
> 			ssl_verify_depth 2;
> 			ssl_client_certificate  "/etc/ssl/nginx/ca_int.crt";
> 
> 			location ~ \.php {
> 				try_files $uri =404;
> 				fastcgi_pass   phpfpm;
> 				fastcgi_index  index.php;
> 				fastcgi_param  PATH_INFO $fastcgi_script_name;
> 				include        includes/fastcgi/fastcgi_params;
> 			}
> 
> 			error_log   /var/log/nginx/test.error.log  info;
> 		}
> 
> on access to
> 
> 	https://example.com/app1
> 
> still get
> 
> 	421 Misdirected Request
> 
> in log
> 
> 	==> /var/log/nginx/test.error.log <==
> 	2020/06/02 11:52:13 [info] 8713#8713: *18 client attempted to request the server name different from the one that was negotiated while reading client request headers, client: 127.0.0.1, server: test.example.com, request: "GET / HTTP/1.0", host: "test-upstream"
> 
> Is that
> 
> 	host: "test-upstream"
> 
> to be expected?  it's an upstream name, not an actual host.

Yes, it is expected.  Quoting http://nginx.org/r/proxy_set_header:

: By default, only two fields are redefined:
:
: proxy_set_header Host       $proxy_host;
: proxy_set_header Connection close;

That is, the name you've written in the proxy_pass directive is 
the actual hostname, and it will be used in the Host header when 
creating requests to upstream server.  And it is also used in the 
proxy_ssl_name, so it will be used during SSL handshake for SNI 
and certificate verification.

It's not just "an upstream name".  If you want it to be only an 
upstream name, you'll have to redefine at least proxy_ssl_name and 
"proxy_set_header Host".  (Well, not really, since $proxy_host is 
also used at least in the proxy_cache_key, but this is probably 
not that important.)

Alternatively, you may want to use the real name, and define an 
upstream{} block with that name.  This way you won't need to 
redefine anything.

> Still unable to wrap my head around where this mis-match is 
> coming from ... I have a nagging suspicion I'm missing something 
> *really* obvious :-/

The mis-match comes from trying to redefine the name in some parts 
of the configuration but not others.  Hope the above explanation 
helps.

-- 
Maxim Dounin
http://mdounin.ru/