nginx
auth_error
ai_generated
true
SSL: certificate verify failed while SSL handshaking to upstream
ID: nginx/ssl-certificate-verify-failed
90%Fix Rate
88%Confidence
1Evidence
2024-01-20First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| nginx 1.20.2 | active | — | — | — |
| nginx 1.22.1 | active | — | — | — |
| nginx 1.24.0 | active | — | — | — |
| nginx 1.25.3 | active | — | — | — |
| nginx 1.26.0 | active | — | — | — |
Root Cause
Nginx cannot verify the upstream server's SSL certificate due to CA mismatch, expired certificate, or missing proxy_ssl_trusted_certificate directive.
generic中文
Nginx无法验证上游服务器的SSL证书,原因是CA不匹配、证书过期或缺少proxy_ssl_trusted_certificate指令。
Official Documentation
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_trusted_certificateWorkarounds
-
90% success Add proxy_ssl_trusted_certificate with the correct CA bundle: proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
Add proxy_ssl_trusted_certificate with the correct CA bundle: proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
-
85% success If upstream uses a self-signed cert, add its CA to the trust store and set proxy_ssl_verify_depth 2;
If upstream uses a self-signed cert, add its CA to the trust store and set proxy_ssl_verify_depth 2;
-
95% success Check and renew the upstream certificate if expired: openssl x509 -in /path/to/cert.pem -noout -dates
Check and renew the upstream certificate if expired: openssl x509 -in /path/to/cert.pem -noout -dates
中文步骤
添加正确的CA证书包:proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
如果上游使用自签名证书,将其CA添加到信任存储并设置 proxy_ssl_verify_depth 2;
检查并续期上游证书(如果已过期):openssl x509 -in /path/to/cert.pem -noout -dates
Dead Ends
Common approaches that don't work:
-
50% fail
Disabling verification exposes to MITM attacks; only a workaround not a fix.
-
90% fail
Nginx still needs the CA certificate in its trust store; replacing alone doesn't help.
-
95% fail
This configures client certificate verification, not upstream verification.