Re: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:SSL alert
Hello! On Mon, Nov 09, 2020 at 03:48:08PM -0500, meniem wrote: > Thanks Maxim for your feedback. > > Yeah, I believe it's an issue with the intermediate certificates. So, can > you please let me know how can I obtain this intermediate certificates so > that I can append it to the certificate itself. > > I can't also change this from the upstream server; as we are getting those > from one of our providers. > > Currently I have the Certificate, Key and CA files only. Likely the CA file contains needed intermediate certificate. Quick-and-dirty test would be to simply add all the CA file contents to the proxy_ssl_certificate file, much like when configuring certificate chains (http://nginx.org/en/docs/http/configuring_https_servers.html#chains). For more details, consider looking into the certificate itself and all certificates in the CA file by using the following command: $ openssl x509 -subject -issuer -noout -in /path/to/cert Results should allow you to build a chain from the certificate to the self-signed root CA. You'll need first certificates from this chain, including the certificate itself, to be in the proxy_ssl_certificate file. Most likely the certificate itself and the intermediate CA certificate as listed in the certificate issuer would be enough. Note that the CA file likely contains more than one certificate, while openssl only shows information about the first certificate in a file. You'll have to save each of them to a separate file for openssl to be able to see them. -- Maxim Dounin http://mdounin.ru/ ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:SSL alert
On 11/9/20 3:48 PM, meniem wrote: > Thanks Maxim for your feedback. > > Yeah, I believe it's an issue with the intermediate certificates. So, can > you please let me know how can I obtain this intermediate certificates so > that I can append it to the certificate itself. You will need to reach out to the certificate issuer/provider to get the proper intermediate certificates. There is no way for us on the nginx mailing list or forums to provide you intermediate certificates. > I can't also change this from the upstream server; as we are getting those > from one of our providers. > > Currently I have the Certificate, Key and CA files only. > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?2,289880,289929#msg-289929 > > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx > ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:SSL alert
Thanks Maxim for your feedback. Yeah, I believe it's an issue with the intermediate certificates. So, can you please let me know how can I obtain this intermediate certificates so that I can append it to the certificate itself. I can't also change this from the upstream server; as we are getting those from one of our providers. Currently I have the Certificate, Key and CA files only. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,289880,289929#msg-289929 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:SSL alert
Hello! On Fri, Nov 06, 2020 at 04:35:43AM -0500, meniem wrote: > Thanks Sergey for your quick reply. > > I have checked the debug logs for the SNI (upstream SSL server name), and it > seems to be correct.I also used the "proxy_ssl_name" directive that set to > the proxied_server_name. Below is the debug output when I hit the endpoint: [...] > 2020/11/06 09:14:36 [debug] 30370#30370: *113140 connect to 1.2.3.4:443, > fd:13 #11343 [...] > 2020/11/06 09:14:36 [debug] 30370#30370: *113140 upstream SSL server name: > "targetapp.com" [...] > 2020/11/06 09:14:37 [error] 30370#30370: *113140 SSL_do_handshake() failed > (SSL: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:SSL > alert$ The error is clear enough: the upstream server sent the "unknown CA" alert. It is defined as follows (https://tools.ietf.org/html/rfc5246#section-7.2.2): unknown_ca A valid certificate chain or partial chain was received, but the certificate was not accepted because the CA certificate could not be located or couldn't be matched with a known, trusted CA. This message is always fatal. That is, the upstream server got the certificate, but it does no know the Certificate Authority used to sign the certificate. As long as the IP address of the server and the SNI name are correct, and the same certificate works with curl, this might happen due to lack of some intermediate certificates. These certificates are added by curl automatically (as long as present in the available list CA certificates as provided to curl). In contrast, nginx does not add any certificates automatically. If intermediate certs are indeed required by your upstream server, you can provide them by placing them into the proxy_ssl_certificate file following the certificate itself, much like additional intermediate certificates for the server certificate in the ssl_certificate file. Alternatively, consider reconfiguring your upstream server to do not require intermediate certs from the client. Providing all required intermediate certificates on the server rather than asking clients to send them along with their client certificates is believed to be a better practice. -- Maxim Dounin http://mdounin.ru/ ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:SSL alert
Thanks Sergey for your quick reply. I have checked the debug logs for the SNI (upstream SSL server name), and it seems to be correct.I also used the "proxy_ssl_name" directive that set to the proxied_server_name. Below is the debug output when I hit the endpoint: 2020/11/06 09:14:36 [debug] 30370#30370: *113140 http cleanup add: 000F8E3FFB8 2020/11/06 09:14:36 [debug] 30370#30370: *113140 http upstream resolve: "/abc" 2020/11/06 09:14:36 [debug] 30370#30370: *113140 name was resolved to 1.2.3.4 2020/11/06 09:14:36 [debug] 30370#30370: *113140 get rr peer, try: 1 2020/11/06 09:14:36 [debug] 30370#30370: *113140 stream socket 13 2020/11/06 09:14:36 [debug] 30370#30370: *113140 epoll add connection: fd:13 ev:8002005 2020/11/06 09:14:36 [debug] 30370#30370: *113140 connect to 1.2.3.4:443, fd:13 #11343 2020/11/06 09:14:36 [debug] 30370#30370: *113140 http upstream connect: -2 2020/11/06 09:14:36 [debug] 30370#30370: *113140 posix_memalign: 003FFB8:128 @16 2020/11/06 09:14:36 [debug] 30370#30370: *113140 event timer add: 13: 6:1604656507 2020/11/06 09:14:36 [debug] 30370#30370: *113140 http finalize request: -4, "/abc" a:1, c:2 2020/11/06 09:14:36 [debug] 30370#30370: *113140 http request count:2 blk:0 2020/11/06 09:14:36 [debug] 30370#30370: *113140 http run request: "/abc" 2020/11/06 09:14:36 [debug] 30370#30370: *113140 http upstream check client, write event:1, "/abc" 2020/11/06 09:14:36 [debug] 30370#30370: *113140 http upstream request: "/abc" 2020/11/06 09:14:36 [debug] 30370#30370: *113140 http upstream send request handler 2020/11/06 09:14:36 [debug] 30370#30370: *113140 malloc: 7F8EF805E0:72 2020/11/06 09:14:36 [debug] 30370#30370: *113140 upstream SSL server name: "targetapp.com" 2020/11/06 09:14:36 [debug] 30370#30370: *113140 tcp_nodelay 2020/11/06 09:14:36 [debug] 30370#30370: *113140 SSL_do_handshake: -1 2020/11/06 09:14:36 [debug] 30370#30370: *113140 SSL_get_error: 2 2020/11/06 09:14:36 [debug] 30370#30370: *113140 SSL handshake handler: 0 2020/11/06 09:14:36 [debug] 30370#30370: *113140 SSL_do_handshake: -1 2020/11/06 09:14:36 [debug] 30370#30370: *113140 SSL_get_error: 2 2020/11/06 09:14:36 [debug] 30370#30370: *113140 SSL handshake handler: 1 2020/11/06 09:14:36 [debug] 30370#30370: *113140 SSL_do_handshake: -1 2020/11/06 09:14:36 [debug] 30370#30370: *113140 SSL_get_error: 2 2020/11/06 09:14:36 [debug] 30370#30370: *113140 SSL handshake handler: 0 2020/11/06 09:14:36 [debug] 30370#30370: *113140 SSL_do_handshake: -1 2020/11/06 09:14:36 [debug] 30370#30370: *113140 SSL_get_error: 2 2020/11/06 09:14:36 [debug] 30370#30370: *113140 SSL handshake handler: 1 2020/11/06 09:14:36 [debug] 30370#30370: *113140 SSL_do_handshake: -1 2020/11/06 09:14:36 [debug] 30370#30370: *113140 SSL_get_error: 2 2020/11/06 09:14:37 [debug] 30370#30370: *113140 SSL handshake handler: 0 2020/11/06 09:14:37 [debug] 30370#30370: *113140 SSL_do_handshake: 0 2020/11/06 09:14:37 [debug] 30370#30370: *113140 SSL_get_error: 1 2020/11/06 09:14:37 [error] 30370#30370: *113140 SSL_do_handshake() failed (SSL: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:SSL alert$ 2020/11/06 09:14:37 [debug] 30370#30370: *113140 http next upstream, 2 2020/11/06 09:14:37 [debug] 30370#30370: *113140 free rr peer 1 4 2020/11/06 09:14:37 [debug] 30370#30370: *113140 finalize http upstream request: 502 2020/11/06 09:14:37 [debug] 30370#30370: *113140 finalize http proxy request 2020/11/06 09:14:37 [debug] 30370#30370: *113140 close http upstream connection: 13 2020/11/06 09:14:37 [debug] 30370#30370: *113140 free: 0007F8EF0E0 2020/11/06 09:14:37 [debug] 30370#30370: *113140 free: 0007F8EFA2A0, unused: 32 2020/11/06 09:14:37 [debug] 30370#30370: *113140 event timer del: 13: 104613507 2020/11/06 09:14:37 [debug] 30370#30370: *113140 reusable connection: 0 2020/11/06 09:14:37 [debug] 30370#30370: *113140 http finalize request: 502, "/abc" a:1, c:1 2020/11/06 09:14:37 [debug] 30370#30370: *113140 http special response: 502, "/abc" 2020/11/06 09:14:37 [debug] 30370#30370: *113140 xslt filter header 2020/11/06 09:14:37 [debug] 30370#30370: *113140 HTTP/1.1 502 Bad Gateway Server: nginx/1.12.2 Server: nginx/1.12.2 Date: Fri, 06 Nov 2020 09:14:37 GMT Content-Type: text/html Content-Length: 173 Connection: keep-alive Posted at Nginx Forum: https://forum.nginx.org/read.php?2,289880,289884#msg-289884 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca:SSL alert
> On 5 Nov 2020, at 22:18, meniem wrote:
>
> I'm trying to setup Nginx reserve proxy which redirect to a specific host
> that requires certificate for proper functionality. But I get this error
> when I hit the endpoint from the browser:
>
>
>2020/11/05 19:55:21 [error] 6334#6334: *111317 SSL_do_handshake()
>failed (SSL: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
> unknown ca:SSL alert n$
That means that the proxied HTTPS server could not build a full
certificate chain combined from what you have specified in the
proxy_ssl_certificate directive and their own CA certificate(s).
Hence, it aborts the handshake by sending the "unknown_ca" alert.
>
> Here is the nginx configuration file:
>
>server {
>listen 443 ssl;
>listen [::]:443 ssl;
>
>ssl_certificate /home/ubuntu/appname.com.pem;
>ssl_certificate_key /home/ubuntu/appname.com.key;
>
>server_name appname.com;
>
>ssl_protocols TLSv1.2;
>
>set $target_server targetapp.com:443;
>
>location /api/ {
>rewrite ^/api(/.*) $1 break;
>proxy_pass https://$target_server/$uri$is_args$args;
>proxy_set_header X-Forwarded-Host $server_name;
>proxy_set_header Host appname.com;
>error_log /var/log/nginx/target_server.log debug;
>proxy_set_header Accept-Encoding text/xml;
>proxy_ssl_certificate /home/ubuntu/target_server_client.pem;
>proxy_ssl_certificate_key /home/ubuntu/target_server_key.pem;
>proxy_ssl_trusted_certificate
> /home/ubuntu/target_server_CA.pem;
>proxy_ssl_verify off;
>proxy_ssl_verify_depth 1;
>proxy_ssl_server_name on;
>}
>}
>
>
>
>
> I tried to enable/disable both `proxy_ssl_server_name` and
> `proxy_ssl_verify`, but both didn't fix the issue.
proxy_ssl_verify works in the opposite direction and would barely help.
It's used to verify the upstream server certificate, disabled by default.
>
> When I SSH into that server and try the below curl command, I can get the
> expected correct response, it's only when try to hit the endpoint from the
> browser:
>
>
>curl -vv --cert target_server_client.pem --key target_server_key.pem
> --cacert target_server_CA.pem --url https://targetapp.com/api 2>&1|less
>
If proxy_ssl_certificate / proxy_ssl_certificate_key paths match those
specified in the curl command, then the problem can be somewhere else.
It could be that the behaviour depends on what the server name is sent
through SNI. In your case it depends on what's set in $target_server
(which also requires resolver), here SNI value will be "targetapp.com".
The name is otherwise specified in the proxy_ssl_name directive.
> I'm not sure what could be the issue, I suspect it would be that the Nginx
> proxy is using the IP address instead of host name in the endpoint, that's
> why it's giving an SSL verification issue. Because it's working by curl
> command propely. I also tried to enable the proxy_ssl_server_name, but
> didn't help.
I'd check what's actually sent in SNI (upstream SSL server name).
You may want to explore debug messages for further insights.
http://nginx.org/en/docs/debugging_log.html
--
Sergey Kandaurov
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
