# upstream SSL certificate verify error: (20:unable to get local issuer certificate) while SSL handshaking to upstream

- **ID:** `nginx/upstream-ssl-certificate-verify-error`
- **Domain:** nginx
- **Category:** auth_error
- **Verification:** ai_generated
- **Fix Rate:** 80%

## Root Cause

Nginx cannot verify the upstream server's SSL certificate because the CA certificate chain is missing or not properly configured in proxy_ssl_trusted_certificate.

## Version Compatibility

| Version | Status | Introduced | Deprecated |
|---------|--------|------------|------------|
| nginx 1.24.0 | active | — | — |
| nginx 1.22.1 | active | — | — |
| nginx 1.20.2 | active | — | — |
| nginx 1.18.0 | active | — | — |

## Workarounds

1. **Configure proxy_ssl_trusted_certificate with the full CA chain file, and enable proxy_ssl_verify:
proxy_ssl_trusted_certificate /etc/nginx/ssl/ca-chain.crt;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
Also ensure proxy_ssl_server_name on; if using SNI.** (85% success)
   ```
   Configure proxy_ssl_trusted_certificate with the full CA chain file, and enable proxy_ssl_verify:
proxy_ssl_trusted_certificate /etc/nginx/ssl/ca-chain.crt;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
Also ensure proxy_ssl_server_name on; if using SNI.
   ```
2. **If the upstream uses a self-signed certificate, add the self-signed CA to the trusted certificate file:
cat /path/to/upstream-ca.crt >> /etc/nginx/ssl/ca-chain.crt
Then reload nginx: nginx -s reload** (75% success)
   ```
   If the upstream uses a self-signed certificate, add the self-signed CA to the trusted certificate file:
cat /path/to/upstream-ca.crt >> /etc/nginx/ssl/ca-chain.crt
Then reload nginx: nginx -s reload
   ```
3. **Use proxy_ssl_name to set the expected hostname for certificate verification if the upstream hostname differs:
proxy_ssl_name $upstream_host;
proxy_ssl_server_name on;** (70% success)
   ```
   Use proxy_ssl_name to set the expected hostname for certificate verification if the upstream hostname differs:
proxy_ssl_name $upstream_host;
proxy_ssl_server_name on;
   ```

## Dead Ends

- **** — Bypasses certificate validation, leaving the connection vulnerable to MITM attacks and violating security policies. (30% fail)
- **** — Misapplies configuration to client side, not upstream; the upstream SSL verify error persists. (50% fail)
- **** — Nginx needs the full CA chain to build trust; missing intermediate CA certificates causes the same error. (60% fail)