NGINX TLS Upstream

[ThyOnlySandman]

I've been using NGINX to proxy http backend.  Today trying Opnsense Nginx TLS upstream to Nginx Proxy Manager.

Getting http error: 
1 upstream SSL certificate verify error: (18:self signed certificate) while SSL handshaking to upstream

At first I had two different lets encrypt wildcard certs.  1 on Opnsense + 1 on NPM proxy host.
Then tried a host cert on NPM to see if it was cause of validation failure.  Still same error. 

Connects if I disable Opnsense Nginx TLS verify.
And 2nd lets encrypt cert is valid on NPM host if accessed directly.

Opnsense has the Lets encrypt X1 + Intermediate in its trusted store.
Under Nginx upstream I have X1 CA set as TLS: Trusted Certificate

Ideas as to what I'm doing wrong with certificate chain / Nginx TLS verify?  Thanks.
 

[Fright]

does upstream uses SNI?
Is the SNI name specified in the upstream settings on the opensense (TLS: Servername override)?
Is "TLS SNI Forwarding" enabled on Location settings?

[ThyOnlySandman]

Working.  Thank you!

The location did not have TLS SNI forwarding enabled.
I had previously tried defining TLS servername override but it didn't matter since it wasn't on and the DNS name same anyway with my split DNS.

Soon as I enabled SNI forward my first site worked.
And with SNI forward enabled my 2nd testing site got new error -   "upstream SSL certificate does not match."

Which quickly realized I was a dummy as it was a root domain wordpress site.  Opnsense had proper non wildcard host root domain + www.root cert but I had loaded a wildcard on nginx proxy manager.  As soon as I enrolled a host certificate for root domain, www on NPM it also began working.

[Fright]

Great!
thanks for the feedback