{
  "id": "nginx/upstream-ssl-certificate-verify-error",
  "signature": "upstream SSL certificate verify error: (20:unable to get local issuer certificate) while SSL handshaking to upstream",
  "signature_zh": "上游 SSL 证书验证错误：(20:无法获取本地颁发者证书) 在与上游进行 SSL 握手时",
  "regex": "upstream SSL certificate verify error: \\(20:unable to get local issuer certificate\\) while SSL handshaking to upstream",
  "domain": "nginx",
  "category": "auth_error",
  "subcategory": null,
  "root_cause": "Nginx cannot verify the upstream server's SSL certificate because the CA certificate chain is missing or not properly configured in proxy_ssl_trusted_certificate.",
  "root_cause_type": "generic",
  "root_cause_zh": "Nginx 无法验证上游服务器的 SSL 证书，因为 CA 证书链缺失或未在 proxy_ssl_trusted_certificate 中正确配置。",
  "versions": [
    {
      "version": "nginx 1.24.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "nginx 1.22.1",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "nginx 1.20.2",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "nginx 1.18.0",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "Bypasses certificate validation, leaving the connection vulnerable to MITM attacks and violating security policies.",
      "fail_rate": 0.3,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "Misapplies configuration to client side, not upstream; the upstream SSL verify error persists.",
      "fail_rate": 0.5,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "Nginx needs the full CA chain to build trust; missing intermediate CA certificates causes the same error.",
      "fail_rate": 0.6,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Configure proxy_ssl_trusted_certificate with the full CA chain file, and enable proxy_ssl_verify:\nproxy_ssl_trusted_certificate /etc/nginx/ssl/ca-chain.crt;\nproxy_ssl_verify on;\nproxy_ssl_verify_depth 2;\nAlso ensure proxy_ssl_server_name on; if using SNI.",
      "success_rate": 0.85,
      "how": "Configure proxy_ssl_trusted_certificate with the full CA chain file, and enable proxy_ssl_verify:\nproxy_ssl_trusted_certificate /etc/nginx/ssl/ca-chain.crt;\nproxy_ssl_verify on;\nproxy_ssl_verify_depth 2;\nAlso ensure proxy_ssl_server_name on; if using SNI.",
      "condition": "",
      "sources": []
    },
    {
      "action": "If the upstream uses a self-signed certificate, add the self-signed CA to the trusted certificate file:\ncat /path/to/upstream-ca.crt >> /etc/nginx/ssl/ca-chain.crt\nThen reload nginx: nginx -s reload",
      "success_rate": 0.75,
      "how": "If the upstream uses a self-signed certificate, add the self-signed CA to the trusted certificate file:\ncat /path/to/upstream-ca.crt >> /etc/nginx/ssl/ca-chain.crt\nThen reload nginx: nginx -s reload",
      "condition": "",
      "sources": []
    },
    {
      "action": "Use proxy_ssl_name to set the expected hostname for certificate verification if the upstream hostname differs:\nproxy_ssl_name $upstream_host;\nproxy_ssl_server_name on;",
      "success_rate": 0.7,
      "how": "Use proxy_ssl_name to set the expected hostname for certificate verification if the upstream hostname differs:\nproxy_ssl_name $upstream_host;\nproxy_ssl_server_name on;",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "使用完整的 CA 链文件配置 proxy_ssl_trusted_certificate，并启用 proxy_ssl_verify：\nproxy_ssl_trusted_certificate /etc/nginx/ssl/ca-chain.crt;\nproxy_ssl_verify on;\nproxy_ssl_verify_depth 2;\n如果使用 SNI，同时确保 proxy_ssl_server_name on；。",
    "如果上游使用自签名证书，将自签名 CA 添加到受信任的证书文件中：\ncat /path/to/upstream-ca.crt >> /etc/nginx/ssl/ca-chain.crt\n然后重新加载 nginx：nginx -s reload",
    "如果上游主机名不同，使用 proxy_ssl_name 设置证书验证的预期主机名：\nproxy_ssl_name $upstream_host;\nproxy_ssl_server_name on;"
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_verify",
  "official_doc_section": null,
  "error_code": null,
  "verification_tier": "ai_generated",
  "confidence": 0.85,
  "fix_success_rate": 0.8,
  "resolvable": "true",
  "first_seen": "2024-02-15",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}