# SSL：在与上游进行SSL握手时证书验证失败

- **ID:** `nginx/ssl-certificate-verify-failed`
- **领域:** nginx
- **类别:** auth_error
- **验证级别:** ai_generated
- **修复率:** 90%

## 根因

Nginx无法验证上游服务器的SSL证书，原因是CA不匹配、证书过期或缺少proxy_ssl_trusted_certificate指令。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| nginx 1.20.2 | active | — | — |
| nginx 1.22.1 | active | — | — |
| nginx 1.24.0 | active | — | — |
| nginx 1.25.3 | active | — | — |
| nginx 1.26.0 | active | — | — |

## 解决方案

1. ```
   添加正确的CA证书包：proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
   ```
2. ```
   如果上游使用自签名证书，将其CA添加到信任存储并设置 proxy_ssl_verify_depth 2;
   ```
3. ```
   检查并续期上游证书（如果已过期）：openssl x509 -in /path/to/cert.pem -noout -dates
   ```

## 无效尝试

- **** — Disabling verification exposes to MITM attacks; only a workaround not a fix. (50% 失败率)
- **** — Nginx still needs the CA certificate in its trust store; replacing alone doesn't help. (90% 失败率)
- **** — This configures client certificate verification, not upstream verification. (95% 失败率)