March 13, 2020 03:12AM
Hi Team,
Am trying to establish encrypted communication between NGINX <-> API's
(POST, GET) with below configuration. But am facing some ssl handshake


upstream dev_server {
zone dev_server 64k;

server {
ssl_certificate /etc/nginx/ssl/nginx-bundle.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
resolver valid=300s;
resolver_timeout 5s;
ssl_session_timeout 5m;

add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

# Policy section
location = /_dosomething {

proxy_pass https://$upstream$request_uri;

proxy_ssl_protocols TLSv1.2 TLSv1.3;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;

proxy_ssl_trusted_certificate /etc/ssl/certs/;

proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
proxy_ssl_server_name on;


upstream SSL certificate does not match "dev_server" while SSL handshaking
to upstream, client: <my_test_machine_ip>, server: <nginx_server_ip>,
request: "POST /dosomething HTTP/1.1", upstream:
"https://<dev1.sysmac.com_ip>:443/dosomething", host: "<nginx_ip>"

*Verified with openssl:*
openssl s_client -servername NAME -connect -showcerts
-CApath /etc/ssl/certs/

depth=2 C = US, O = DigiCert Inc, OU =, CN = DigiCert
Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, ST = <bla-bla>, L = <bla-bla>, O = <bla-bla>, OU =
<bla-bla>, CN =
verify return:1
Certificate chain
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
i:/C=US/O=DigiCert Inc/ Global Root CA
2 s:/C=US/O=DigiCert Inc/ Global Root CA
i:/C=US/O=DigiCert Inc/ Global Root CA
Server certificate
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
SSL handshake has read 4746 bytes and written 428 bytes
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: <bla-bla>
Master-Key: <bla-bla>
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 83 b1 99 75 73 6e 7c 05-33 1b 02 70 67 68 1f b4
00a0 - 18 2b b0 1f 18 20 24 a4-ac ab e4 62 57 f6 1b 53 .+...
00b0 - c3 d8 db 4b 15 cb 82 de-78 52 21 03 c6 25 24 06

Start Time: 1584081168
Timeout : 300 (sec)
Verify return code: 0 (ok)

1. All of my upstream servers has ssl certificate configured with same ssl
contains which i can see from openssl. In such case is
this the reason am getting not found error from upstream block?

2. If not how to deal with such cases?

3. Also looking for debugging the same for ssl certificate does not match.
Do i need to especially specify ssl cert for each /dosomething block?

Please help!!!

Sent from:
nginx mailing list
Subject Author Posted

upstream SSL certificate does not match "dev_server" while SSL handshaking to upstream

satscreate March 13, 2020 03:12AM

Re: upstream SSL certificate does not match "dev_server" while SSL handshaking to upstream

satscreate March 13, 2020 05:00AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 84
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready