proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?
PGNet Dev
pgnet.dev at gmail.com
Sat May 30 02:09:45 UTC 2020
I'm running
nginx -V
nginx version: nginx/1.19.0 (pgnd Build)
built with OpenSSL 1.1.1g 21 Apr 2020
TLS SNI support enabled
...
It serves as front-end SSL termination, site host, and reverse-proxy to backend apps.
I'm trying to get a backend app to proxy_ssl_verify the proxy connection to it.
I have two self-signed certs:
One for "TLS Web Client Authentication, E-mail Protection"
openssl x509 -in test.example.com.client.crt -text | egrep "Subject.*CN|DNS|TLS"
Subject: C = US, ST = NY, L = New_York, O = example2.com, OU = myCA, CN = test.example.com, emailAddress = ssl at example2.com
TLS Web Client Authentication, E-mail Protection
DNS:test.example.com, DNS:www.test.example.com, DNS:localhost
and the other, for "TLS Web Server Authentication"
openssl x509 -in test.example.com.server.crt -text | egrep "Subject.*CN|DNS|TLS"
Subject: C = US, ST = NY, L = New_York, O = example2.com, OU = myCA, CN = test.example.com, emailAddress = ssl at example2.com
TLS Web Server Authentication
DNS:test.example.com, DNS:www.test.example.com, DNS:localhost
The certs 'match' CN & SAN, differing in "X509v3 Extended Key Usage".
Both are verified "OK" with my local CA cert
openssl verify -CAfile myCA.crt.pem test.example.com.server.crt
test.example.com.server.crt: OK
openssl verify -CAfile /myCA.crt.pem test.example.com.client.crt
test.example.com.client.crt: OK
My main nginx config includes,
upstream test.example.com {
server test.example.com:11111;
}
server {
listen 10.10.10.1:443 ssl http2;
server_name example.com;
...
ssl_verify_client on;
ssl_client_certificate "/etc/ssl/nginx/myCA.crt";
ssl_verify_depth 2;
ssl_certificate "/etc/ssl/nginx/example.com.server.crt";
ssl_certificate_key "/etc/ssl/nginx/example.com.server.key";
ssl_trusted_certificate "/etc/ssl/nginx/myCA.crt";
location /app1 {
proxy_pass https://test.example.com;
proxy_ssl_certificate "/etc/ssl/nginx/test.example.com.client.crt";
proxy_ssl_certificate_key "/etc/ssl/nginx/test.example.com.client.key";
proxy_ssl_trusted_certificate "/etc/ssl/nginx/myCA.crt";
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
include includes/reverse-proxy.inc;
}
}
and the upstream config,
server {
listen 127.0.0.1:11111 ssl http2;
server_name test.example.com;
root /data/webapps/demo_app/;
index index.php;
expires -1;
ssl_certificate "/etc/ssl/nginx/test.example.com.server.crt";
ssl_certificate_key "/etc/ssl/nginx/test.example.com.server.key";
ssl_client_certificate "/etc/ssl/nginx/myCA.crt";
ssl_verify_client optional;
ssl_verify_depth 2;
location ~ \.php {
try_files $uri =404;
fastcgi_pass phpfpm;
fastcgi_index index.php;
fastcgi_param PATH_INFO $fastcgi_script_name;
include fastcgi_params;
}
}
access to
https://example.com/app1
responds,
502 Bad Gateway
logs, show an SSL handshake fail
...
2020/05/29 19:00:06 [debug] 29419#29419: *7 SSL: TLSv1.3, cipher: "TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD"
2020/05/29 19:00:06 [debug] 29419#29419: *7 http upstream ssl handshake: "/app1/?"
2020/05/29 19:00:06 [debug] 29419#29419: *7 X509_check_host(): no match
2020/05/29 19:00:06 [error] 29419#29419: *7 upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream, client: 10.10.10.73, server: example.com, request: "GET /app1/ HTTP/2.0", upstream: "https://127.0.0.1:11111/app1/", host: "example.com"
2020/05/29 19:00:06 [debug] 29419#29419: *7 http next upstream, 2
...
If I toggle
- ssl_verify_client on;
+ ssl_verify_client off;
then I'm able to connect to the backend site, as expected.
What exactly is NOT matching in the handshake? CN & SAN do ...
&/or, is there a config problem above?
More information about the nginx
mailing list