Hello,
I have a configuration an nginx proxy server "NGINX_SERVER" as the
following:
listen 443 ssl default_server;
chunked_transfer_encoding on;
ssl_certificate server.crt;
ssl_certificate_key private_key_server.pem;
ssl_client_certificate trustedCA.crt;
#ssl_verify_depth 7;
ssl_verify_client optional_no_ca;
location / {
proxy_http_version 1.1;
resolver 127.0.0.11;
proxy_ssl_trusted_certificate trustedCA.crt;
proxy_ssl_verify_depth 7;
proxy_ssl_verify on;
proxy_pass https://13.78.229.75:443;
}
The server "13.78.229.75" has a server certificate generate for an IP. When
I do
curl --cacert trustedCA.crt https://13.78.229.75:443 -v
from "NGINX_SERVER", everything works fine. So the server certificate from
"13.78.229.75" should be good.
Additionnally openssl s_client -connect 13.78.229.75:443 -showcerts -verify
9 -CAfile trustedCA.crt is good too.
However when I try to curl my "NGINX_SERVER":
curl https://"NGINX_SERVER
I get:
*110 upstream SSL certificate does not match "13.78.229.75" while SSL
handshaking to upstream, client: 13.78.128.54, server: , request:
Looking at the server certificate, everything looks ok:
Subject: CN = 13.78.229.75
X509v3 Subject Alternative Name:
IP Address:13.78.229.75, DNS:iotedgeapiproxy
I am at loss. How can curl/openssl tell me my server cert is valid while
nginx telling me it is wrong. What am I doing wrong?
Thank you!
Hugues
Posted at Nginx Forum:
https://forum.nginx.org/read.php?2,289813,289813#msg-289813
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
