Welcome! Log In Create A New Profile

Advanced

SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:SSL alert

November 05, 2020 05:18PM
I'm trying to setup Nginx reserve proxy which redirect to a specific host that requires certificate for proper functionality. But I get this error when I hit the endpoint from the browser:


2020/11/05 19:55:21 [error] 6334#6334: *111317 SSL_do_handshake()
failed (SSL: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:SSL alert n$


Here is the nginx configuration file:

server {
listen 443 ssl;
listen [::]:443 ssl;

ssl_certificate /home/ubuntu/appname.com.pem;
ssl_certificate_key /home/ubuntu/appname.com.key;

server_name appname.com;

ssl_protocols TLSv1.2;

set $target_server targetapp.com:443;

location /api/ {
rewrite ^/api(/.*) $1 break;
proxy_pass https://$target_server/$uri$is_args$args;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header Host appname.com;
error_log /var/log/nginx/target_server.log debug;
proxy_set_header Accept-Encoding text/xml;
proxy_ssl_certificate /home/ubuntu/target_server_client.pem;
proxy_ssl_certificate_key /home/ubuntu/target_server_key.pem;
proxy_ssl_trusted_certificate /home/ubuntu/target_server_CA.pem;
proxy_ssl_verify off;
proxy_ssl_verify_depth 1;
proxy_ssl_server_name on;
}
}




I tried to enable/disable both `proxy_ssl_server_name` and `proxy_ssl_verify`, but both didn't fix the issue.

When I SSH into that server and try the below curl command, I can get the expected correct response, it's only when try to hit the endpoint from the browser:


curl -vv --cert target_server_client.pem --key target_server_key.pem --cacert target_server_CA.pem --url https://targetapp.com/api 2>&1|less



I'm not sure what could be the issue, I suspect it would be that the Nginx proxy is using the IP address instead of host name in the endpoint, that's why it's giving an SSL verification issue. Because it's working by curl command propely. I also tried to enable the proxy_ssl_server_name, but didn't help.
Subject Author Posted

SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:SSL alert

meniem November 05, 2020 05:18PM

Re: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:SSL alert

Sergey Kandaurov November 05, 2020 07:58PM

Re: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:SSL alert

meniem November 06, 2020 04:35AM

Re: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:SSL alert

Maxim Dounin November 09, 2020 02:14PM

Re: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:SSL alert

meniem November 09, 2020 03:48PM

Re: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:SSL alert

Thomas Ward November 09, 2020 04:10PM

Re: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:SSL alert

Maxim Dounin November 09, 2020 04:20PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 88
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready