nginx
auth_error
ai_generated
true
upstream SSL certificate verify error: (20:unable to get local issuer certificate) while SSL handshaking to upstream
ID: nginx/upstream-ssl-certificate-verify-error
80%Fix Rate
85%Confidence
1Evidence
2024-02-15First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| nginx 1.24.0 | active | — | — | — |
| nginx 1.22.1 | active | — | — | — |
| nginx 1.20.2 | active | — | — | — |
| nginx 1.18.0 | active | — | — | — |
Root Cause
Nginx cannot verify the upstream server's SSL certificate because the CA certificate chain is missing or not properly configured in proxy_ssl_trusted_certificate.
generic中文
Nginx 无法验证上游服务器的 SSL 证书,因为 CA 证书链缺失或未在 proxy_ssl_trusted_certificate 中正确配置。
Official Documentation
https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_verifyWorkarounds
-
85% success Configure proxy_ssl_trusted_certificate with the full CA chain file, and enable proxy_ssl_verify: proxy_ssl_trusted_certificate /etc/nginx/ssl/ca-chain.crt; proxy_ssl_verify on; proxy_ssl_verify_depth 2; Also ensure proxy_ssl_server_name on; if using SNI.
Configure proxy_ssl_trusted_certificate with the full CA chain file, and enable proxy_ssl_verify: proxy_ssl_trusted_certificate /etc/nginx/ssl/ca-chain.crt; proxy_ssl_verify on; proxy_ssl_verify_depth 2; Also ensure proxy_ssl_server_name on; if using SNI.
-
75% success If the upstream uses a self-signed certificate, add the self-signed CA to the trusted certificate file: cat /path/to/upstream-ca.crt >> /etc/nginx/ssl/ca-chain.crt Then reload nginx: nginx -s reload
If the upstream uses a self-signed certificate, add the self-signed CA to the trusted certificate file: cat /path/to/upstream-ca.crt >> /etc/nginx/ssl/ca-chain.crt Then reload nginx: nginx -s reload
-
70% success Use proxy_ssl_name to set the expected hostname for certificate verification if the upstream hostname differs: proxy_ssl_name $upstream_host; proxy_ssl_server_name on;
Use proxy_ssl_name to set the expected hostname for certificate verification if the upstream hostname differs: proxy_ssl_name $upstream_host; proxy_ssl_server_name on;
中文步骤
使用完整的 CA 链文件配置 proxy_ssl_trusted_certificate,并启用 proxy_ssl_verify: proxy_ssl_trusted_certificate /etc/nginx/ssl/ca-chain.crt; proxy_ssl_verify on; proxy_ssl_verify_depth 2; 如果使用 SNI,同时确保 proxy_ssl_server_name on;。
如果上游使用自签名证书,将自签名 CA 添加到受信任的证书文件中: cat /path/to/upstream-ca.crt >> /etc/nginx/ssl/ca-chain.crt 然后重新加载 nginx:nginx -s reload
如果上游主机名不同,使用 proxy_ssl_name 设置证书验证的预期主机名: proxy_ssl_name $upstream_host; proxy_ssl_server_name on;
Dead Ends
Common approaches that don't work:
-
30% fail
Bypasses certificate validation, leaving the connection vulnerable to MITM attacks and violating security policies.
-
50% fail
Misapplies configuration to client side, not upstream; the upstream SSL verify error persists.
-
60% fail
Nginx needs the full CA chain to build trust; missing intermediate CA certificates causes the same error.