On Sun, Sep 06, 2020 at 10:15:28AM -0400, ravansh wrote: Hi there,
> I am unable to reverse proxy to my https backend. what am i doing wrong? I > am using the same set of cert for the backend and frontend as I am running > them both on the same machine. I got my certificates from zerossl. Here is > the error I get : > > curl --cacert /etc/ssl/certs/ca_bundle.crt https://www.ravi.guru That response says that curl-client does accept the ssl-negotiation with your port-443 nginx server when it knows to trust the ca_bundle.crt contents. > 2020/09/06 01:50:53 [error] 2603#0: *4 upstream SSL certificate verify > error: (2:unable to get > issuer certificate) while SSL handshaking to > upstream, client: 192.168.103.15, server: www.ravi.guru, request: "GET / > HTTP/1.1", upstream: "https://192.168.103.15:8080/";, host: "www.ravi.guru" That log says that nginx-client does not accept the ssl-negotiation with your port-8080 nginx server. > When I connect to backend directly, all goes well: > > curl --cacert /etc/ssl/certs/ca_bundle.crt https://www.ravi.guru:8080 And that response says that curl-client does accept the ssl-negotiation with your port-8080 nginx server when it knows to trust the ca_bundle.crt contents. > =============== > Here is my config file > =============== As an aside: a lot of these directives are only needed if you are using client certificates; you don't appear to be, so you can possibly remove some of these directives for person-clarity. > server { > listen 443 http2 ssl; > server_name www.ravi.guru; > location / { > proxy_pass https://www.ravi.guru:8080; > proxy_ssl_trusted_certificate /etc/ssl/certs/ca_bundle.crt; > proxy_ssl_verify on; > proxy_ssl_verify_depth 2; I guess that one possibility is that the "certificate chain" to be verified is longer than 2; after you've confirmed that the certificate file (below) is correct, it might be worth increasing that depth to whatever your system uses. > } > } > server { > listen 8080 http2 ssl; > #listen [::]:443 http2 ssl; > > server_name www.ravi.guru; > > ssl_certificate /etc/ssl/certs/certificate.crt; Does "grep CERT /etc/ssl/certs/certificate.crt" show one BEGIN/END pair, or more than one? As in -- does that file hold just the this-server certificate, or does it also hold the full chain back to the root? (If it does not hold the full chain, I guess it is possible that curl-client and nginx-client can have different behaviours.) Good luck with it, f -- Francis Daly [email protected] _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
