SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:SSL alert

Fri Nov 6 00:56:01 UTC 2020

> On 5 Nov 2020, at 22:18, meniem <nginx-forum at forum.nginx.org> wrote:
> 
> I'm trying to setup Nginx reserve proxy which redirect to a specific host
> that requires certificate for proper functionality. But I get this error
> when I hit the endpoint from the browser:
> 
> 
>    2020/11/05 19:55:21 [error] 6334#6334: *111317 SSL_do_handshake() 
>    failed (SSL: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:SSL alert n$

That means that the proxied HTTPS server could not build a full
certificate chain combined from what you have specified in the
proxy_ssl_certificate directive and their own CA certificate(s).
Hence, it aborts the handshake by sending the "unknown_ca" alert.

> 
> Here is the nginx configuration file:
> 
>    server {
>            listen 443 ssl;
>            listen [::]:443 ssl;
> 
>            ssl_certificate /home/ubuntu/appname.com.pem;
>            ssl_certificate_key /home/ubuntu/appname.com.key;
> 
>            server_name appname.com;
> 
>            ssl_protocols TLSv1.2;
> 
>            set $target_server targetapp.com:443;
> 
>            location /api/ {
>            rewrite ^/api(/.*) $1 break;
>            proxy_pass https://$target_server/$uri$is_args$args;
>            proxy_set_header X-Forwarded-Host $server_name;
>            proxy_set_header Host appname.com;
>            error_log /var/log/nginx/target_server.log debug;
>            proxy_set_header Accept-Encoding text/xml;
>            proxy_ssl_certificate /home/ubuntu/target_server_client.pem;
>            proxy_ssl_certificate_key /home/ubuntu/target_server_key.pem;
>            proxy_ssl_trusted_certificate
> /home/ubuntu/target_server_CA.pem;
>            proxy_ssl_verify off;
>            proxy_ssl_verify_depth 1;
>            proxy_ssl_server_name on;
>            }
>    }
> 
> 
> 
> 
> I tried to enable/disable both `proxy_ssl_server_name` and
> `proxy_ssl_verify`, but both didn't fix the issue.

proxy_ssl_verify works in the opposite direction and would barely help.
It's used to verify the upstream server certificate, disabled by default.

> 
> When I SSH into that server and try the below curl command, I can get the
> expected correct response, it's only when try to hit the endpoint from the
> browser:
> 
> 
>    curl -vv --cert target_server_client.pem --key target_server_key.pem 
> --cacert target_server_CA.pem --url https://targetapp.com/api 2>&1|less
> 

If proxy_ssl_certificate / proxy_ssl_certificate_key paths match those
specified in the curl command, then the problem can be somewhere else.

It could be that the behaviour depends on what the server name is sent
through SNI.  In your case it depends on what's set in $target_server
(which also requires resolver), here SNI value will be "targetapp.com".
The name is otherwise specified in the proxy_ssl_name directive.

> I'm not sure what could be the issue, I suspect it would be that the Nginx
> proxy is using the IP address instead of host name in the endpoint, that's
> why it's giving an SSL verification issue. Because it's working by curl
> command propely. I also tried to enable the proxy_ssl_server_name, but
> didn't help.

I'd check what's actually sent in SNI (upstream SSL server name).

You may want to explore debug messages for further insights.
http://nginx.org/en/docs/debugging_log.html

-- 
Sergey Kandaurov