nginx
auth_error
ai_generated
true
SSL:在与上游进行SSL握手时证书验证失败
SSL: certificate verify failed while SSL handshaking to upstream
ID: nginx/ssl-certificate-verify-failed
90%修复率
88%置信度
1证据数
2024-01-20首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| nginx 1.20.2 | active | — | — | — |
| nginx 1.22.1 | active | — | — | — |
| nginx 1.24.0 | active | — | — | — |
| nginx 1.25.3 | active | — | — | — |
| nginx 1.26.0 | active | — | — | — |
根因分析
Nginx无法验证上游服务器的SSL证书,原因是CA不匹配、证书过期或缺少proxy_ssl_trusted_certificate指令。
English
Nginx cannot verify the upstream server's SSL certificate due to CA mismatch, expired certificate, or missing proxy_ssl_trusted_certificate directive.
官方文档
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_trusted_certificate解决方案
-
添加正确的CA证书包:proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
-
如果上游使用自签名证书,将其CA添加到信任存储并设置 proxy_ssl_verify_depth 2;
-
检查并续期上游证书(如果已过期):openssl x509 -in /path/to/cert.pem -noout -dates
无效尝试
常见但无效的做法:
-
50% 失败
Disabling verification exposes to MITM attacks; only a workaround not a fix.
-
90% 失败
Nginx still needs the CA certificate in its trust store; replacing alone doesn't help.
-
95% 失败
This configures client certificate verification, not upstream verification.