Welcome! Log In Create A New Profile

Advanced

Re: Unable to proxy pass to https backend on nginx

Francis Daly
September 07, 2020 07:12AM
On Sun, Sep 06, 2020 at 10:15:28AM -0400, ravansh wrote:

Hi there,

> I am unable to reverse proxy to my https backend. what am i doing wrong? I
> am using the same set of cert for the backend and frontend as I am running
> them both on the same machine. I got my certificates from zerossl. Here is
> the error I get :
>
> curl --cacert /etc/ssl/certs/ca_bundle.crt https://www.ravi.guru

That response says that curl-client does accept the ssl-negotiation
with your port-443 nginx server when it knows to trust the ca_bundle.crt
contents.

> 2020/09/06 01:50:53 [error] 2603#0: *4 upstream SSL certificate verify
> error: (2:unable to get > issuer certificate) while SSL handshaking to
> upstream, client: 192.168.103.15, server: www.ravi.guru, request: "GET /
> HTTP/1.1", upstream: "https://192.168.103.15:8080/", host: "www.ravi.guru"

That log says that nginx-client does not accept the ssl-negotiation with
your port-8080 nginx server.

> When I connect to backend directly, all goes well:
>
> curl --cacert /etc/ssl/certs/ca_bundle.crt https://www.ravi.guru:8080

And that response says that curl-client does accept the ssl-negotiation
with your port-8080 nginx server when it knows to trust the ca_bundle.crt
contents.

> ===============
> Here is my config file
> ===============

As an aside: a lot of these directives are only needed if you are using
client certificates; you don't appear to be, so you can possibly remove
some of these directives for person-clarity.

> server {
> listen 443 http2 ssl;
> server_name www.ravi.guru;

> location / {
> proxy_pass https://www.ravi.guru:8080;

> proxy_ssl_trusted_certificate /etc/ssl/certs/ca_bundle.crt;
> proxy_ssl_verify on;
> proxy_ssl_verify_depth 2;

I guess that one possibility is that the "certificate chain" to be
verified is longer than 2; after you've confirmed that the certificate
file (below) is correct, it might be worth increasing that depth to
whatever your system uses.

> }
> }
> server {
> listen 8080 http2 ssl;
> #listen [::]:443 http2 ssl;
>
> server_name www.ravi.guru;
>
> ssl_certificate /etc/ssl/certs/certificate.crt;

Does "grep CERT /etc/ssl/certs/certificate.crt" show one BEGIN/END pair,
or more than one?

As in -- does that file hold just the this-server certificate, or does
it also hold the full chain back to the root?

(If it does not hold the full chain, I guess it is possible that
curl-client and nginx-client can have different behaviours.)

Good luck with it,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Unable to proxy pass to https backend on nginx

ravansh September 06, 2020 10:15AM

Re: Unable to proxy pass to https backend on nginx

Thomas Ward September 06, 2020 02:22PM

Re: Unable to proxy pass to https backend on nginx

Maxim Dounin September 06, 2020 09:00PM

Re: Unable to proxy pass to https backend on nginx

Francis Daly September 07, 2020 07:12AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 62
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready