upstream SSL certificate does not match "dev_server" while SSL handshaking to upstream

satscreate sathish.create at gmail.com
Fri Mar 13 07:10:15 UTC 2020


Hi Team,
Am trying to establish encrypted communication between NGINX <-> API's
(POST, GET) with below configuration. But am facing some ssl handshake
issue.

*Config:*

upstream dev_server {
    zone dev_server 64k;
    server dev1.sysmac.com:443;
	server dev2.sysmac.com:443;
	server dev3.sysmac.com:443;
}

server {
	ssl_certificate      /etc/nginx/ssl/nginx-bundle.crt;
	ssl_certificate_key  /etc/nginx/ssl/nginx.key;
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_prefer_server_ciphers on;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;
	resolver 8.8.8.8 valid=300s;
	resolver_timeout 5s;
	ssl_session_timeout  5m;
	
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;
preload";
	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Content-Type-Options nosniff;

	ssl_dhparam /etc/ssl/certs/dhparam.pem;

	# Policy section
	#
	location = /_dosomething {
		internal;

		proxy_pass https://$upstream$request_uri;
		
		proxy_ssl_protocols           TLSv1.2 TLSv1.3;
		proxy_ssl_ciphers             HIGH:!aNULL:!MD5;
		
		proxy_ssl_trusted_certificate /etc/ssl/certs/ca-bundle.trust.crt;
		
		proxy_ssl_verify on;
		proxy_ssl_verify_depth 2;
		proxy_ssl_session_reuse on;
		proxy_ssl_server_name on;
	}

}

*Error:*
upstream SSL certificate does not match "dev_server" while SSL handshaking
to upstream, client: <my_test_machine_ip>, server: <nginx_server_ip>,
request: "POST /dosomething HTTP/1.1", upstream:
"https://<dev1.sysmac.com_ip>:443/dosomething", host: "<nginx_ip>"

*Verified with openssl:*
openssl s_client -servername NAME -connect dev1.sysmac.com:443 -showcerts
-CApath /etc/ssl/certs/ca-bundle.trust.crt

CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, ST = <bla-bla>, L = <bla-bla>, O = <bla-bla>, OU =
<bla-bla>, CN = dev5.sysmac.com
verify return:1
---
Certificate chain
 0
s:/C=US/ST=<bla-bla>/L=<bla-bla>/O=<bla-bla>/OU=<bla-bla>/CN=g4t7453.houston.hpe.com
   i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
-----BEGIN CERTIFICATE-----
MIIHdzCCBl+gAwIBAgIQAblIEjggyGk4cIxk4xfU6TANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEw...............
-----END CERTIFICATE-----
 1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
-----BEGIN CERTIFICATE-----
MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVM......
-----END CERTIFICATE-----
 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCD.....
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=<bla-bla>/L=<bla-bla>/O=<bla-bla>/OU=servers/CN=dev5.sysmac.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4746 bytes and written 428 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: <bla-bla>
    Session-ID-ctx:
    Master-Key: <bla-bla>
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 83 b1 99 75 73 6e 7c 05-33 1b 02 70 67 68 1f b4  
...usn|.3..pgh..
    00a0 - 18 2b b0 1f 18 20 24 a4-ac ab e4 62 57 f6 1b 53   .+...
$....bW..S
    00b0 - c3 d8 db 4b 15 cb 82 de-78 52 21 03 c6 25 24 06  
...K....xR!..%$.

    Start Time: 1584081168
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

*Questions:*
1. All of my upstream servers has ssl certificate configured with same ssl
contains CN=dev5.sysmac.com which i can see from openssl. In such case is
this the reason am getting not found error from upstream block?

2. If not how to deal with such cases?

3. Also looking for debugging the same for ssl certificate does not match.
Do i need to especially specify ssl cert for each /dosomething block?

Please help!!!



--
Sent from: http://nginx.2469901.n2.nabble.com/


More information about the nginx mailing list