nginx tlsv1 alert unknown ca:SSL alert number 48

nett_hier asked:

I’m currently trying to set up nginx as a proxy for a website which requires certificate authentication.
The following curl command works perfectly:

curl --cacert ca-cert.pem -v --key client.key --cert client.pem

However, the following nginx configuration seems to be rejected by the server:

server {
        listen      80;

        location / {
            proxy_pass            ;
            proxy_set_header                Host;
            proxy_ssl_certificate           /etc/nginx/client.pem;
            proxy_ssl_certificate_key       /etc/nginx/client.key;
            proxy_ssl_trusted_certificate   /etc/nginx/ca-cert.pem;
            proxy_ssl_verify                off;

The full error from the nginx logs is:

2021/03/08 20:43:06 [error] 29#29: *1 SSL_do_handshake() failed (SSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:SSL alert number 48) while SSL handshaking to upstream, client:, server: , request: "GET / HTTP/1.1", upstream: "https://x.x.x.x:443/", host: "localhost:80"

Does anyone know what’s going on? Isn’t the nginx config equivalent to the curl command?

My answer:

This error means that nginx could not verify the upstream server’s TLS server certificate using the CA certificate you provided in proxy_ssl_trusted_certificate. Check that you have actually supplied the CA certificate that signed the server’s certificate.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.