I'm trying to setup Nginx reserve proxy which redirect to a specific host that requires certificate for proper functionality. But I get this error when I hit the endpoint from the browser:
2020/11/05 19:55:21 [error] 6334#6334: *111317 SSL_do_handshake()
failed (SSL: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:SSL alert n$
Here is the nginx configuration file:
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /home/ubuntu/appname.com.pem;
ssl_certificate_key /home/ubuntu/appname.com.key;
server_name appname.com;
ssl_protocols TLSv1.2;
set $target_server targetapp.com:443;
location /api/ {
rewrite ^/api(/.*) $1 break;
proxy_pass https://$target_server/$uri$is_args$args;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header Host appname.com;
error_log /var/log/nginx/target_server.log debug;
proxy_set_header Accept-Encoding text/xml;
proxy_ssl_certificate /home/ubuntu/target_server_client.pem;
proxy_ssl_certificate_key /home/ubuntu/target_server_key.pem;
proxy_ssl_trusted_certificate /home/ubuntu/target_server_CA.pem;
proxy_ssl_verify off;
proxy_ssl_verify_depth 1;
proxy_ssl_server_name on;
}
}
I tried to enable/disable both `proxy_ssl_server_name` and `proxy_ssl_verify`, but both didn't fix the issue.
When I SSH into that server and try the below curl command, I can get the expected correct response, it's only when try to hit the endpoint from the browser:
curl -vv --cert target_server_client.pem --key target_server_key.pem --cacert target_server_CA.pem --url https://targetapp.com/api 2>&1|less
I'm not sure what could be the issue, I suspect it would be that the Nginx proxy is using the IP address instead of host name in the endpoint, that's why it's giving an SSL verification issue. Because it's working by curl command propely. I also tried to enable the proxy_ssl_server_name, but didn't help.