Upstream certificate validation - Servers in a server group

Maxim Dounin mdounin at mdounin.ru
Tue Mar 1 14:05:17 UTC 2022 

Hello!

On Tue, Mar 01, 2022 at 09:26:23AM +0000, Nitsan Matsliah via nginx wrote:

> Assuming I have 2 servers in an upstream server group:
> 
>   1.  Test1.server.local
>   2.  Test2.server.local
> Each one of these servers holds their own FQDN in their 
> respective certificates.
> Test1.server.local will have test1.server.local as its subject 
> and subject alternative name in the certificate it serves.
> Test2.server.local will have test2.server.local as its subject 
> and subject alternative name in the certificate it serves.
> 
> Now, let’s assume that the name of the upstream group or 
> proxy_ssl_name is Test.server.local, nginx will compare the 
> subject name from each certificate (either test1.server.local or 
> test2.server.local) to the upstream group name - 
> test.server.local and would complain about a mismatch.
> Unless test.server.local is added to each upstream server 
> certificate this issue will persist.
> 
> Is there any way around this using maybe nginx plus or any other 
> alternative?

That's expected behaviour: an upstream group is essentially a more 
sophisticated replacement for a domain name which resolves to 
multiple IP addresses.  All servers in the upstream group are 
expected to be equal: to be able to answer to the same requests, 
respond to the same SNI name (assuming proxy_ssl_server_name is 
used), and to return SSL certificates matching the same name.

You can use the proxy_ssl_name to change the expected name, for 
example, if the name of the upstream group does not match the name 
in the certificates used.  That is, if you are using "upstream 
test {...}" in the configuration, but servers use the 
"test.example.com" in the certificates.  But this directive cannot 
be used to provide different names for different servers in the 
upstream group.  Much like you cannot use proxy_set_header to add 
different headers to requests sent to different servers.

Proper solution for your configuration would be to provide 
appropriate (and the same) name in certificates used by all 
servers in the upstream group.  If for some reason you have to 
connect to servers which are using different names in the 
certificates, consider using separate upstream blocks for such 
servers.

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx mailing list