# SSL: certificate verify failed while SSL handshaking to upstream

- **ID:** `nginx/ssl-certificate-verify-failed`
- **Domain:** nginx
- **Category:** auth_error
- **Verification:** ai_generated
- **Fix Rate:** 90%

## Root Cause

Nginx cannot verify the upstream server's SSL certificate due to CA mismatch, expired certificate, or missing proxy_ssl_trusted_certificate directive.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| nginx 1.20.2 | active | — | — |
| nginx 1.22.1 | active | — | — |
| nginx 1.24.0 | active | — | — |
| nginx 1.25.3 | active | — | — |
| nginx 1.26.0 | active | — | — |

## Workarounds

1. **Add proxy_ssl_trusted_certificate with the correct CA bundle: proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;** (90% success)
   ```
   Add proxy_ssl_trusted_certificate with the correct CA bundle: proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
   ```
2. **If upstream uses a self-signed cert, add its CA to the trust store and set proxy_ssl_verify_depth 2;** (85% success)
   ```
   If upstream uses a self-signed cert, add its CA to the trust store and set proxy_ssl_verify_depth 2;
   ```
3. **Check and renew the upstream certificate if expired: openssl x509 -in /path/to/cert.pem -noout -dates** (95% success)
   ```
   Check and renew the upstream certificate if expired: openssl x509 -in /path/to/cert.pem -noout -dates
   ```

## Dead Ends

- **** — Disabling verification exposes to MITM attacks; only a workaround not a fix. (50% fail)
- **** — Nginx still needs the CA certificate in its trust store; replacing alone doesn't help. (90% fail)
- **** — This configures client certificate verification, not upstream verification. (95% fail)