nginx
auth_error
ai_generated
true
上游 SSL 证书验证错误:(20:无法获取本地颁发者证书) 在与上游进行 SSL 握手时
upstream SSL certificate verify error: (20:unable to get local issuer certificate) while SSL handshaking to upstream
ID: nginx/upstream-ssl-certificate-verify-error
80%修复率
85%置信度
1证据数
2024-02-15首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| nginx 1.24.0 | active | — | — | — |
| nginx 1.22.1 | active | — | — | — |
| nginx 1.20.2 | active | — | — | — |
| nginx 1.18.0 | active | — | — | — |
根因分析
Nginx 无法验证上游服务器的 SSL 证书,因为 CA 证书链缺失或未在 proxy_ssl_trusted_certificate 中正确配置。
English
Nginx cannot verify the upstream server's SSL certificate because the CA certificate chain is missing or not properly configured in proxy_ssl_trusted_certificate.
官方文档
https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_verify解决方案
-
使用完整的 CA 链文件配置 proxy_ssl_trusted_certificate,并启用 proxy_ssl_verify: proxy_ssl_trusted_certificate /etc/nginx/ssl/ca-chain.crt; proxy_ssl_verify on; proxy_ssl_verify_depth 2; 如果使用 SNI,同时确保 proxy_ssl_server_name on;。
-
如果上游使用自签名证书,将自签名 CA 添加到受信任的证书文件中: cat /path/to/upstream-ca.crt >> /etc/nginx/ssl/ca-chain.crt 然后重新加载 nginx:nginx -s reload
-
如果上游主机名不同,使用 proxy_ssl_name 设置证书验证的预期主机名: proxy_ssl_name $upstream_host; proxy_ssl_server_name on;
无效尝试
常见但无效的做法:
-
30% 失败
Bypasses certificate validation, leaving the connection vulnerable to MITM attacks and violating security policies.
-
50% 失败
Misapplies configuration to client side, not upstream; the upstream SSL verify error persists.
-
60% 失败
Nginx needs the full CA chain to build trust; missing intermediate CA certificates causes the same error.