Welcome! Log In Create A New Profile

Advanced

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

PGNet Dev
June 02, 2020 04:02PM
On 6/2/20 12:34 PM, Maxim Dounin wrote:
> The mis-match comes from trying to redefine the name in some parts
> of the configuration but not others. Hope the above explanation
> helps.

I've reread your comment

That is, the name you've written in the proxy_pass directive is
the actual hostname, and it will be used in the Host header when
creating requests to upstream server. And it is also used in the
proxy_ssl_name, so it will be used during SSL handshake for SNI
and certificate verification.

It's not just "an upstream name". If you want it to be only an
upstream name, you'll have to redefine at least proxy_ssl_name and
"proxy_set_header Host". (Well, not really, since $proxy_host is
also used at least in the proxy_cache_key, but this is probably
not that important.)

a bunch of times. Still can't grasp it clearly. Which is the source of the pebkac :-/

Otoh, simply _doing_

Alternatively, you may want to use the real name, and define an
upstream{} block with that name. This way you won't need to
redefine anything.

i.e., changing to EITHER

case (1):

vhost config,

- upstream test-upstream {
+ upstream test.example.com {
server test.example.com:11111;
}

server {
listen 10.10.10.1:443 ssl http2;
server_name example.com;

...
location /app1 {

proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_certificate "/etc/ssl/nginx/test.client.crt";
proxy_ssl_certificate_key "/etc/ssl/nginx/test.client.key";
proxy_ssl_trusted_certificate "/etc/ssl/nginx/ca_int.crt";

- proxy_pass https://test-upstream/;
+ proxy_pass https://test.example.com/;
proxy_ssl_server_name on;
proxy_ssl_name test.example.com;

}
}

and, upstream config

server {
listen 127.0.0.1:11111 ssl http2;
server_name test.example.com;

root /srv/www/test;
index index.php;
expires -1;

ssl_certificate "/etc/ssl/nginx/test.server.crt";
ssl_certificate_key "/etc/ssl/nginx/test.server.key";
ssl_trusted_certificate "/etc/ssl/nginx/ca_int.crt";

- ssl_verify_client off;
+ ssl_verify_client on;
ssl_verify_depth 2;
ssl_client_certificate "/etc/ssl/nginx/ca_int.crt";

location ~ \.php {
try_files $uri =404;
fastcgi_pass phpfpm;
fastcgi_index index.php;
fastcgi_param PATH_INFO $fastcgi_script_name;
include includes/fastcgi/fastcgi_params;
}

error_log /var/log/nginx/test.error.log info;
}

or

case (2):

vhost config,

- upstream test-upstream {
+ upstream JUNK {
server test.example.com:11111;
}

server {
listen 10.10.10.1:443 ssl http2;
server_name example.com;

...
location /app1 {

proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_certificate "/etc/ssl/nginx/test.client.crt";
proxy_ssl_certificate_key "/etc/ssl/nginx/test.client.key";
proxy_ssl_trusted_certificate "/etc/ssl/nginx/ca_int.crt";

- proxy_pass https://test-upstream/;
+ proxy_pass https://test.example.com:11111/;
proxy_ssl_server_name on;
proxy_ssl_name test.example.com;

}
}

and, upstream config

server {
listen 127.0.0.1:11111 ssl http2;
server_name test.example.com;

root /srv/www/test;
index index.php;
expires -1;

ssl_certificate "/etc/ssl/nginx/test.server.crt";
ssl_certificate_key "/etc/ssl/nginx/test.server.key";
ssl_trusted_certificate "/etc/ssl/nginx/ca_int.crt";

- ssl_verify_client off;
+ ssl_verify_client on;
ssl_verify_depth 2;
ssl_client_certificate "/etc/ssl/nginx/ca_int.crt";

location ~ \.php {
try_files $uri =404;
fastcgi_pass phpfpm;
fastcgi_index index.php;
fastcgi_param PATH_INFO $fastcgi_script_name;
include includes/fastcgi/fastcgi_params;
}

error_log /var/log/nginx/test.error.log info;
}

now, in _either_ case, access to

https://example.com/app1
https://example.com/app1/

_does_ return my 'test' app correctly

i _do_ see in logs

in case (2), a single error instance,

2020/06/02 12:51:11 [debug] 6140#6140: *3 reusable connection: 1
2020/06/02 12:51:11 [debug] 6140#6140: *3 http wait request handler
2020/06/02 12:51:11 [debug] 6140#6140: *3 malloc: 0000563CDA76DF10:1024
2020/06/02 12:51:11 [debug] 6140#6140: *3 SSL_read: 345
2020/06/02 12:51:11 [debug] 6140#6140: *3 SSL_read: -1
??? 2020/06/02 12:51:11 [debug] 6140#6140: *3 SSL_get_error: 2
2020/06/02 12:51:11 [debug] 6140#6140: *3 reusable connection: 0
2020/06/02 12:51:11 [debug] 6140#6140: *3 posix_memalign: 0000563CDA2963A0:4096 @16
2020/06/02 12:51:11 [debug] 6140#6140: *3 posix_memalign: 0000563CDA650060:4096 @16

&

in case (1), a double error instance

2020/06/02 12:53:46 [debug] 6267#6267: *6 SSL_read_early_data: 2, 0
2020/06/02 12:53:46 [debug] 6267#6267: *6 SSL_do_handshake: 1
2020/06/02 12:53:46 [debug] 6267#6267: *6 SSL: TLSv1.2, cipher: "ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD"
2020/06/02 12:53:46 [debug] 6267#6267: *6 reusable connection: 1
2020/06/02 12:53:46 [debug] 6267#6267: *6 http wait request handler
2020/06/02 12:53:46 [debug] 6267#6267: *6 malloc: 0000563C0F2ADAB0:1024
2020/06/02 12:53:46 [debug] 6267#6267: *6 SSL_read: -1
??? 2020/06/02 12:53:46 [debug] 6267#6267: *6 SSL_get_error: 2
2020/06/02 12:53:46 [debug] 6267#6267: *6 free: 0000563C0F2ADAB0
2020/06/02 12:53:46 [debug] 6267#6267: *6 http wait request handler
2020/06/02 12:53:46 [debug] 6267#6267: *6 malloc: 0000563C0F2ADAB0:1024
2020/06/02 12:53:46 [debug] 6267#6267: *6 SSL_read: 339
2020/06/02 12:53:46 [debug] 6267#6267: *6 SSL_read: -1
??? 2020/06/02 12:53:46 [debug] 6267#6267: *6 SSL_get_error: 2
2020/06/02 12:53:46 [debug] 6267#6267: *6 reusable connection: 0
2020/06/02 12:53:46 [debug] 6267#6267: *6 posix_memalign: 0000563C0F18FA60:4096 @16
2020/06/02 12:53:46 [debug] 6267#6267: *6 posix_memalign: 0000563C0EDD4B10:4096 @16
2020/06/02 12:53:46 [debug] 6267#6267: *6 http process request line


but that error doesn't seem to be fatal.

any idea what's causing those^^ errors?


_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

PGNet Dev May 29, 2020 10:10PM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Maxim Dounin June 01, 2020 11:44AM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

PGNet Dev June 02, 2020 12:44AM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

PGNet Dev June 02, 2020 01:00AM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Sergey Kandaurov June 02, 2020 05:52AM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Francis Daly June 02, 2020 11:28AM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

PGNet Dev June 02, 2020 03:12PM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Maxim Dounin June 02, 2020 03:36PM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

PGNet Dev June 02, 2020 04:02PM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Maxim Dounin June 02, 2020 07:14PM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Maxim Dounin June 02, 2020 03:22PM

Re: proxy_ssl_verify error: 'upstream SSL certificate does not match "test.example.com" while SSL handshaking to upstream', for CN/SAN 'matched' client & server certs ?

Francis Daly June 04, 2020 11:20AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 85
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready