{ "id": "nginx/ssl-certificate-verify-failed", "signature": "SSL: certificate verify failed while SSL handshaking to upstream", "signature_zh": "SSL:在与上游进行SSL握手时证书验证失败", "regex": "SSL: certificate verify failed while SSL handshaking to upstream", "domain": "nginx", "category": "auth_error", "subcategory": null, "root_cause": "Nginx cannot verify the upstream server's SSL certificate due to CA mismatch, expired certificate, or missing proxy_ssl_trusted_certificate directive.", "root_cause_type": "generic", "root_cause_zh": "Nginx无法验证上游服务器的SSL证书,原因是CA不匹配、证书过期或缺少proxy_ssl_trusted_certificate指令。", "versions": [ { "version": "nginx 1.20.2", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "nginx 1.22.1", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "nginx 1.24.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "nginx 1.25.3", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "nginx 1.26.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "Disabling verification exposes to MITM attacks; only a workaround not a fix.", "fail_rate": 0.5, "condition": "", "sources": [] }, { "action": "", "why_fails": "Nginx still needs the CA certificate in its trust store; replacing alone doesn't help.", "fail_rate": 0.9, "condition": "", "sources": [] }, { "action": "", "why_fails": "This configures client certificate verification, not upstream verification.", "fail_rate": 0.95, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Add proxy_ssl_trusted_certificate with the correct CA bundle: proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;", "success_rate": 0.9, "how": "Add proxy_ssl_trusted_certificate with the correct CA bundle: proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;", "condition": "", "sources": [] }, { "action": "If upstream uses a self-signed cert, add its CA to the trust store and set proxy_ssl_verify_depth 2;", "success_rate": 0.85, "how": "If upstream uses a self-signed cert, add its CA to the trust store and set proxy_ssl_verify_depth 2;", "condition": "", "sources": [] }, { "action": "Check and renew the upstream certificate if expired: openssl x509 -in /path/to/cert.pem -noout -dates", "success_rate": 0.95, "how": "Check and renew the upstream certificate if expired: openssl x509 -in /path/to/cert.pem -noout -dates", "condition": "", "sources": [] } ], "workarounds_zh": [ "添加正确的CA证书包:proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;", "如果上游使用自签名证书,将其CA添加到信任存储并设置 proxy_ssl_verify_depth 2;", "检查并续期上游证书(如果已过期):openssl x509 -in /path/to/cert.pem -noout -dates" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_trusted_certificate", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.88, "fix_success_rate": 0.9, "resolvable": "true", "first_seen": "2024-01-20", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }