upstream SSL certificate does not match "x.x.x.x"

bouvierh nginx-forum at
Wed Oct 28 04:28:04 UTC 2020


I have a configuration an nginx proxy server "NGINX_SERVER" as the
        listen 443 ssl default_server;

        chunked_transfer_encoding on;

        ssl_certificate        server.crt;
        ssl_certificate_key    private_key_server.pem;
        ssl_client_certificate trustedCA.crt;
        #ssl_verify_depth 7;
        ssl_verify_client optional_no_ca;

        location / {
            proxy_http_version 1.1;
            proxy_ssl_trusted_certificate trustedCA.crt;
            proxy_ssl_verify_depth 7;
            proxy_ssl_verify       on;

The server "" has a server certificate generate for an IP. When
I do 
curl  --cacert trustedCA.crt -v 
from "NGINX_SERVER", everything works fine. So the server certificate from
"" should be good.
Additionnally openssl s_client -connect -showcerts -verify
9 -CAfile trustedCA.crt is good too.

However when I try to curl my "NGINX_SERVER":
curl https://"NGINX_SERVER
I get:
 *110 upstream SSL certificate does not match "" while SSL
handshaking to upstream, client:, server: , request: 

Looking at the server certificate, everything looks ok:
        Subject: CN =
            X509v3 Subject Alternative Name:
                IP Address:, DNS:iotedgeapiproxy

I am at loss. How can curl/openssl tell me my server cert is valid while
nginx telling me it is wrong. What am I doing wrong?
Thank you!

Posted at Nginx Forum:,289813,289813#msg-289813

More information about the nginx mailing list