I've been using NGINX to proxy http backend. Today trying Opnsense Nginx TLS upstream to Nginx Proxy Manager.
Getting http error:
1 upstream SSL certificate verify error: (18:self signed certificate) while SSL handshaking to upstream
At first I had two different lets encrypt wildcard certs. 1 on Opnsense + 1 on NPM proxy host.
Then tried a host cert on NPM to see if it was cause of validation failure. Still same error.
Connects if I disable Opnsense Nginx TLS verify.
And 2nd lets encrypt cert is valid on NPM host if accessed directly.
Opnsense has the Lets encrypt X1 + Intermediate in its trusted store.
Under Nginx upstream I have X1 CA set as TLS: Trusted Certificate
Ideas as to what I'm doing wrong with certificate chain / Nginx TLS verify? Thanks.
does upstream uses SNI?
Is the SNI name specified in the upstream settings on the opensense (TLS: Servername override)?
Is "TLS SNI Forwarding" enabled on Location settings?
Working. Thank you!
The location did not have TLS SNI forwarding enabled.
I had previously tried defining TLS servername override but it didn't matter since it wasn't on and the DNS name same anyway with my split DNS.
Soon as I enabled SNI forward my first site worked.
And with SNI forward enabled my 2nd testing site got new error - "upstream SSL certificate does not match."
Which quickly realized I was a dummy as it was a root domain wordpress site. Opnsense had proper non wildcard host root domain + www.root cert but I had loaded a wildcard on nginx proxy manager. As soon as I enrolled a host certificate for root domain, www on NPM it also began working.
Great!
thanks for the feedback