nett_hier asked:
I’m currently trying to set up nginx as a proxy for a website which requires certificate authentication.
The following curl command works perfectly:
curl --cacert ca-cert.pem -v --key client.key --cert client.pem https://example.com:443
However, the following nginx configuration seems to be rejected by the server:
server {
listen 80;
location / {
proxy_pass https://example.com;
proxy_set_header Host example.com;
proxy_ssl_certificate /etc/nginx/client.pem;
proxy_ssl_certificate_key /etc/nginx/client.key;
proxy_ssl_trusted_certificate /etc/nginx/ca-cert.pem;
proxy_ssl_verify off;
}
}
The full error from the nginx logs is:
2021/03/08 20:43:06 [error] 29#29: *1 SSL_do_handshake() failed (SSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:SSL alert number 48) while SSL handshaking to upstream, client: 172.17.0.1, server: , request: "GET / HTTP/1.1", upstream: "https://x.x.x.x:443/", host: "localhost:80"
Does anyone know what’s going on? Isn’t the nginx config equivalent to the curl command?
My answer:
This error means that nginx could not verify the upstream server’s TLS server certificate using the CA certificate you provided in proxy_ssl_trusted_certificate. Check that you have actually supplied the CA certificate that signed the server’s certificate.
View the full question and any other answers on Server Fault.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.