Nginx reverse proxy error:14077438:SSL SSL_do_handshake() failed

Asked 13/8, 2016 at 9:50 Answered 5/3, 2018 at 18:5

So i am using following settings to create one reverse proxy for site as below.

  server {
     listen 80;
     server_name mysite.com;
     access_log  /var/log/nginx/access.log;
     error_log  /var/log/nginx/error.log;
     root /home/ubuntu/p3;
   location / {
     proxy_pass  https://mysiter.com/;
     proxy_redirect  https://mysiter.com/ $host;
     proxy_set_header Accept-Encoding "";
    }
  }

But getting BAD GATE WAY 502 error and below is the log.

2016/08/13 09:42:28 [error] 26809#0: *60 SSL_do_handshake() failed (SSL: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error) while SSL handshaking to upstream, client: 103.255.5.68, server: mysite.com, request: "GET / HTTP/1.1", upstream: "https://105.27.188.213:443/", host: "mysite.com"
2016/08/13 09:42:28 [error] 26809#0: *60 SSL_do_handshake() failed (SSL: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error) while SSL handshaking to upstream, client: 103.255.5.68, server: mysite.com, request: "GET / HTTP/1.1", upstream: "https://105.27.188.213:443/", host: "mysite.com"

Any help will be greatly appreciated.

Valer answered 13/8, 2016 at 9:50 Comment(1)

NGINX does currently use TLSv1.3 by default. If your backend enforces TLSv1.3, you will receive a similar SSL_do_handshake() failed error. Tell nginx to use TLSv1.3 by adding the following to your location block: proxy_ssl_protocols TLSv1.3 – Rumilly 3/3 at 21:20

Seeing the exact same error on Nginx 1.9.0 and it looks like it was caused by the HTTPS endpoint using SNI.

Adding this to the proxy location fixed it:

proxy_ssl_server_name on;

Domino answered 5/3, 2018 at 18:5 Comment(1)

Does not work with Cloudflare? - DNS points to prohibited IP Error 1000 – Kulseth 28/11, 2023 at 6:45

There are a couple of oddities with your configuration. Firstly what are you proxying to? Do you have another server block with server name mysiter.com listening on port 443 which serves the app? If yes, then what you want here is a 301 redirect to your 443 block. If not, then the proxy will land up in the same location block, forming a loop (because you haven't specified a different port).

The error that you posted is because your upstream doesn't have a certificate to offload the SSL. To solve this, you need to change your proxy_pass directive to plain HTTP.

proxy_pass  http://mysiter.com/;

Or you'll need to provide a certificate for the backend server to use.

Check out the docs for more info. This blog might also be of use.

Yetah answered 15/8, 2016 at 14:47 Comment(2)

Thank you for your answer - using just http instead of a second https in the proxy_pass parameter does it for me. I already had the proxy_ssl_server_name on – Trough 17/1, 2023 at 17:2

It works for me proxy_pass xxx.de. You have to come on it for now. Maybe it's HTTP/2 related? – Kulseth 28/11, 2023 at 6:26

Recommended topics

Hot tags