SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:SSL alert
Maxim Dounin
mdounin at mdounin.ru
Mon Nov 9 21:19:15 UTC 2020
Hello!
On Mon, Nov 09, 2020 at 03:48:08PM -0500, meniem wrote:
> Thanks Maxim for your feedback.
>
> Yeah, I believe it's an issue with the intermediate certificates. So, can
> you please let me know how can I obtain this intermediate certificates so
> that I can append it to the certificate itself.
>
> I can't also change this from the upstream server; as we are getting those
> from one of our providers.
>
> Currently I have the Certificate, Key and CA files only.
Likely the CA file contains needed intermediate certificate.
Quick-and-dirty test would be to simply add all the CA file
contents to the proxy_ssl_certificate file, much like when
configuring certificate chains
(http://nginx.org/en/docs/http/configuring_https_servers.html#chains).
For more details, consider looking into the certificate
itself and all certificates in the CA file by using the following
command:
$ openssl x509 -subject -issuer -noout -in /path/to/cert
Results should allow you to build a chain from the certificate to
the self-signed root CA. You'll need first certificates from this
chain, including the certificate itself, to be in the
proxy_ssl_certificate file. Most likely the certificate itself
and the intermediate CA certificate as listed in the certificate
issuer would be enough.
Note that the CA file likely contains more than one certificate,
while openssl only shows information about the first certificate
in a file. You'll have to save each of them to a separate file
for openssl to be able to see them.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list