SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:SSL alert

Maxim Dounin mdounin at
Mon Nov 9 21:19:15 UTC 2020


On Mon, Nov 09, 2020 at 03:48:08PM -0500, meniem wrote:

> Thanks Maxim for your feedback. 
> Yeah, I believe it's an issue with the intermediate certificates. So, can
> you please let me know how can I obtain this intermediate certificates so
> that I can append it to the certificate itself.
> I can't also change this from the upstream server; as we are getting those
> from one of our providers.
> Currently I have the Certificate, Key and CA files only.

Likely the CA file contains needed intermediate certificate.  
Quick-and-dirty test would be to simply add all the CA file 
contents to the proxy_ssl_certificate file, much like when 
configuring certificate chains

For more details, consider looking into the certificate 
itself and all certificates in the CA file by using the following 

$ openssl x509 -subject -issuer -noout -in /path/to/cert

Results should allow you to build a chain from the certificate to 
the self-signed root CA.  You'll need first certificates from this 
chain, including the certificate itself, to be in the 
proxy_ssl_certificate file.  Most likely the certificate itself 
and the intermediate CA certificate as listed in the certificate 
issuer would be enough.

Note that the CA file likely contains more than one certificate, 
while openssl only shows information about the first certificate 
in a file.  You'll have to save each of them to a separate file 
for openssl to be able to see them.

Maxim Dounin

More information about the nginx mailing list