Welcome! Log In Create A New Profile

Advanced

proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

PGNet Dev
May 29, 2020 10:10PM
 I'm running

nginx -V
nginx version: nginx/1.19.0 (pgnd Build)
built with OpenSSL 1.1.1g 21 Apr 2020
TLS SNI support enabled
...

It serves as front-end SSL termination, site host, and reverse-proxy to backend apps.

I'm trying to get a backend app to proxy_ssl_verify the proxy connection to it.

I have two self-signed certs:

One for "TLS Web Client Authentication, E-mail Protection"

openssl x509 -in test.example.com.client.crt -text | egrep "Subject.*CN|DNS|TLS"
Subject: C = US, ST = NY, L = New_York, O = example2.com, OU = myCA, CN = test.example.com, emailAddress = ssl@example2.com
TLS Web Client Authentication, E-mail Protection
DNS:test.example.com, DNS:www.test.example.com, DNS:localhost

and the other, for "TLS Web Server Authentication"

openssl x509 -in test.example.com.server.crt -text | egrep "Subject.*CN|DNS|TLS"
Subject: C = US, ST = NY, L = New_York, O = example2.com, OU = myCA, CN = test.example.com, emailAddress = ssl@example2.com
TLS Web Server Authentication
DNS:test.example.com, DNS:www.test.example.com, DNS:localhost

The certs 'match' CN & SAN, differing in "X509v3 Extended Key Usage".

Both are verified "OK" with my local CA cert

openssl verify -CAfile myCA.crt.pem test.example.com.server.crt
test.example.com.server.crt: OK

openssl verify -CAfile /myCA.crt.pem test.example.com.client.crt
test.example.com.client.crt: OK

My main nginx config includes,

upstream test.example.com {
server test.example.com:11111;
}
server {

listen 10.10.10.1:443 ssl http2;
server_name example.com;
...

ssl_verify_client on;
ssl_client_certificate "/etc/ssl/nginx/myCA.crt";
ssl_verify_depth 2;
ssl_certificate "/etc/ssl/nginx/example.com.server.crt";
ssl_certificate_key "/etc/ssl/nginx/example.com.server.key";
ssl_trusted_certificate "/etc/ssl/nginx/myCA.crt";

location /app1 {
proxy_pass https://test.example.com;
proxy_ssl_certificate "/etc/ssl/nginx/test.example.com.client.crt";
proxy_ssl_certificate_key "/etc/ssl/nginx/test.example.com.client.key";
proxy_ssl_trusted_certificate "/etc/ssl/nginx/myCA.crt";
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
include includes/reverse-proxy.inc;
}
}

and the upstream config,

server {
listen 127.0.0.1:11111 ssl http2;
server_name test.example.com;

root /data/webapps/demo_app/;
index index.php;
expires -1;

ssl_certificate "/etc/ssl/nginx/test.example.com.server.crt";
ssl_certificate_key "/etc/ssl/nginx/test.example.com.server.key";

ssl_client_certificate "/etc/ssl/nginx/myCA.crt";
ssl_verify_client optional;
ssl_verify_depth 2;

location ~ \.php {
try_files $uri =404;
fastcgi_pass phpfpm;
fastcgi_index index.php;
fastcgi_param PATH_INFO $fastcgi_script_name;
include fastcgi_params;
}

}

access to

https://example.com/app1

responds,

502 Bad Gateway

logs, show an SSL handshake fail

...
2020/05/29 19:00:06 [debug] 29419#29419: *7 SSL: TLSv1.3, cipher: "TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD"
2020/05/29 19:00:06 [debug] 29419#29419: *7 http upstream ssl handshake: "/app1/?"
2020/05/29 19:00:06 [debug] 29419#29419: *7 X509_check_host(): no match
2020/05/29 19:00:06 [error] 29419#29419: *7 upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream, client: 10.10.10.73, server: example.com, request: "GET /app1/ HTTP/2.0", upstream: "https://127.0.0.1:11111/app1/", host: "example.com"
2020/05/29 19:00:06 [debug] 29419#29419: *7 http next upstream, 2
...

If I toggle

- ssl_verify_client on;
+ ssl_verify_client off;

then I'm able to connect to the backend site, as expected.

What exactly is NOT matching in the handshake? CN & SAN do ...

&/or, is there a config problem above?

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

PGNet Dev May 29, 2020 10:10PM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Maxim Dounin June 01, 2020 11:44AM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

PGNet Dev June 02, 2020 12:44AM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

PGNet Dev June 02, 2020 01:00AM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Sergey Kandaurov June 02, 2020 05:52AM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Francis Daly June 02, 2020 11:28AM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

PGNet Dev June 02, 2020 03:12PM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Maxim Dounin June 02, 2020 03:36PM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

PGNet Dev June 02, 2020 04:02PM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Maxim Dounin June 02, 2020 07:14PM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Maxim Dounin June 02, 2020 03:22PM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Francis Daly June 04, 2020 11:20AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 50
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready