correct Nginx Unix SNI usage? getting error "SSL_get_servername() returned NULL in server name callback"
Sergey Kandaurov
pluknet at nginx.com
Tue Jun 15 10:50:51 UTC 2021
> On 13 Jun 2021, at 23:34, Bill <bill14653 at protonmail.com> wrote:
>
> Hi,
>
> I installed
>
> unit version: 1.24.0
>
> It's behind a Nginx reverse proxy
>
> upstream UNIT { server 127.0.0.1:12345; }
> server {
> server_name example.com;
> location /testA {
> proxy_pass https://UNIT/testB;
> proxy_ssl_name example1.com;
> proxy_ssl_certificate "/www/example1.com.client.crt";
> proxy_ssl_certificate_key "/www/example1.com.client.key";
> ...
> }
> location /testB {
> proxy_pass https://UNIT/testB;
> proxy_ssl_name example2.com;
> proxy_ssl_certificate "/www/example2.com.client.crt";
> proxy_ssl_certificate_key "/www/example2.com.client.key";
> ...
> }
> ...
>
> I want to setup ssl for SNI.
You likely missed to enable passing SNI to the proxied server (unit).
By default, it is disabled in nginx. See for details:
http://nginx.org/r/proxy_ssl_server_name
>
> I watched Timo Stark's
>
> NGINX Unit 1.23 - SNI Deep Dive
> https://www.youtube.com/watch?v=absaan-8y1Q
>
> which was the best, and only, 'documentation' I could find that actually mentions the new SNI usage.
>
> My certs are good, and work great in Nginx, front and/or backends.
>
> For unit, I created server cert bundles, and uploaded them to Unit config
>
> {
> "certificates": {
> "example1.com.server": {
> "key": "ECDH",
> "chain": [
> {
> "subject": {
> "common_name": "example1.com",
> "alt_names": [
> "example1.com",
> "www.example1.com"
> ],
>
> "country": "US",
> ...
> },
>
> "example2.com.server": {
> "key": "ECDH",
> "chain": [
> {
> "subject": {
> "common_name": "example2.com",
> "alt_names": [
> "example2.com",
> "www.example2.com"
> ],
>
> "country": "US",
> ...
> },
>
> and the listener is configured for SNI with both certs
>
> "config": {
> "listeners": {
> "127.0.0.1:12345": {
> "pass": "routes/main",
> "tls": {
> "certificate": [
> "example1.com.server",
> "example2.com.server"
> ],
>
> "conf_commands": {
> "minprotocol": "TLSv1.3",
> "ciphersuites":
> "TLS_CHACHA20_POLY1305_SHA256"
> }
> }
> }
> },
>
> "routes": {
> ...
> }
>
>
> when I access
>
> https://example.com/testA
>
> I get in the log
>
> ==> /var/log/www/unit.log <==
> 2021/06/13 15:46:20 [alert] 35036#35041 *21 SSL_get_servername() returned NULL in server name callback
That likely means that unit didn't receive SNI
(because nginx didn't send SNI to unit).
>
> ==> /var/log/www/nginx.error.log <==
> 2021/06/13 15:46:20 [crit] 29271#29271: *30 SSL_do_handshake() failed (SSL: error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:SSL alert number 112) while SSL handshaking to upstream, client: fe80::5ec:3ecf:dd74:fa2e, server: example.com, request: "GET /testA HTTP/2.0", upstream: "https://127.0.0.1:12345/testA", host: "example.com"
> 2021/06/13 15:46:20 [warn] 29271#29271: *30 upstream server temporarily disabled while SSL handshaking to upstream, client: fe80::5ec:3ecf:dd74:fa2e, server: example.com, request: "GET /testA HTTP/2.0", upstream: "https://127.0.0.1:12345/testA", host: "example.com"
Then unit sent back the SSL alert unrecognized_name(112).
>
> ==> /var/log/www/unit.log <==
> 2021/06/13 15:46:20 [alert] 35036#35041 *21 SSL_do_handshake(97) failed (234: callback failed) (OpenSSL: error:1422E0EA:SSL routines:final_server_name:callback failed)
>
> Since my certs are fine with SNI in Nginx I'm sure it's my wrong usage for Unit.
>
> What in, or missing from, from config is causing that "NULL in server name callback" error?
>
> Bill
> _______________________________________________
> unit mailing list
> unit at nginx.org
> https://mailman.nginx.org/mailman/listinfo/unit
--
Sergey Kandaurov
More information about the unit
mailing list