How to establish secure connection between NGINX <-> https upstream API

Francis Daly francis at
Fri Mar 13 13:30:54 UTC 2020

On Thu, Mar 12, 2020 at 10:47:40PM -0700, satscreate wrote:

Hi there,


>        location /upstream {
>            proxy_pass https://$upstream$request_uri;
>            proxy_ssl_certificate         /etc/nginx/client.pem;
>            proxy_ssl_certificate_key     /etc/nginx/client.key;

>            proxy_ssl_trusted_certificate /etc/nginx/trusted_ca_cert.crt;

> What is below client.pem & client.key?
> is this the nginx client files which needs to be created and signed with CA?

The page you link to says

Add the client certificate and the key that will be used to
authenticate NGINX on each upstream server with proxy_ssl_certificate
and proxy_ssl_certificate_key directives:

and the documentation for those directives is at

Those files relate to the client certificate that nginx will offer to
the upstream server in order to identify itself.

> What is trusted_ca_cert.crt;?

That file allows nginx to verify that the certificate presented by the
upstream server, is one that nginx is willing to consider acceptable.

> Is this related to how can i obtain this?

Yes; the Certificate Authority that signed the
certificate should make this available to anyone they want to trust them.

> But getting below exception when i hit the API.
> upstream SSL certificate verify error: (19:self signed certificate in
> certificate chain) while SSL handshaking to upstream, client: <user_ip>,
> server: <nginx_server_ip>, request: "POST /getsomething HTTP/1.1", upstream:
> "", host: "nginx_server_ip"

I believe that that says that nginx (as the client) does not accept the
certificate provided by the server at; probably due
to nginx's proxy_ssl_trusted_certificate configuration not being what
it expects.


Francis Daly        francis at

More information about the nginx mailing list