Nginx SSL 502 bad gateway - SSL_do_handshake() failed

Please fill in any relevant information that applies to you:

• CentOS Version: CentOS 7 64bit ?
• Centmin Mod Version Installed: 123.09beta01
• Nginx Version Installed: 1.15.10
• PHP Version Installed: 7.0.33
• MariaDB MySQL Version Installed: 10.0.38
• When was last time updated Centmin Mod code base ? : Today run centmin.sh menu option 23 submenu option 2
• Persistent Config: Do you have any persistent config file options set in /etc/centminmod/custom_config.inc ? You can check via this command:
  
  Code (Text):

  EMAIL='[email protected]'          # Server notification email address enter only 1 address
  ZONEINFO=America/Sao_Paulo  # Set Timezone
  NGXDYNAMIC_NGXPAGESPEED='y'
  NGINX_PAGESPEED='y'
  LETSENCRYPT_DETECT='y'
  PHP_PGO='y'
  PHPPGO_INDEXPATH='/home/nginx/domains/mydomain.com/public/index.php'
  #LIBRESSL_SWITCH='n'
  OPENSSL_VERSION='1.1.1'
  #TLSONETHREE='y'
  CLANG='n'
  DEVTOOLSETSIX='n'
  DEVTOOLSETSEVEN='y'
  DEVTOOLSETEIGHT='n'
  NGINX_DEVTOOLSETGCC='y'
  

  
  
  Error Log (many lines but same error)
  
  Code (Text):

  2019/04/02 12:22:34 [error] 17262#17262: *356 SSL_do_handshake() failed (SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream, client: X.X.X.X, server: myserverurl, request: "GET /api/path HTTP/2.0", upstream: "https://104.18.19.83:443/v1/path", host: "myserverurl", referrer: "https://myserverurl/path"
  

  
  
  I have an app working about 5 months, but since yesterday my website don't work and I got this error above every time.
  I have an VueJS App hosted, Nginx proxying from mysite/api/v1/path to targetsite/v1/path
  
  My syte custom nginx conf is:
  
  Code:

    location /api/ {
      rewrite ^/api^/ /$1 break;
      proxy_pass https://targetsite/v1/;
    }
  

  I've tried to update to the last centminmod, deleted and recreated mysite by Option 2, everything is working again with let's encrypt certificate tested with ssllabs.com.
  
  Sorry, but I don't understand about certificates, but when I tried to connect to targetsite throught openssl it give me error:
  
  
  
  Code:

  openssl s_client -connect targetsite:443
  
  CONNECTED(00000003)
  139715937351568:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
  ---
  no peer certificate available
  ---
  No client certificate CA names sent
  ---
  SSL handshake has read 7 bytes and written 289 bytes
  ---
  New, (NONE), Cipher is (NONE)
  Secure Renegotiation IS NOT supported
  Compression: NONE
  Expansion: NONE
  No ALPN negotiated
  SSL-Session:
      Protocol  : TLSv1
      Cipher    : 0000
      Session-ID:
      Session-ID-ctx:
      Master-Key:
      Key-Arg   : None
      Krb5 Principal: None
      PSK identity: None
      PSK identity hint: None
      Start Time: 1554208707
      Timeout   : 300 (sec)
      Verify return code: 0 (ok)
  ---
  

 

Ok,

I've removed and recompiled:

Code (Text):

nginx -V
nginx version: nginx/1.15.10 (020419-170651-centos7-kvm)
built by gcc 8.2.1 20180905 (Red Hat 8.2.1-3) (GCC)
built with OpenSSL 1.1.1b  26 Feb 2019
TLS SNI support enabled

1. No. VueJS App is on my server, upstream is in a different server with I don't have any access.
2. I don't know how to configure cloudflare settings like that :/ but I've defined TLS 1.2 on nginx host config
3. Yeah, my App was running before and they may have changed to cloudflare at remote host.
4. Well, I've tried all that options, one by one:

Code:

  location /api/ {
    rewrite ^/api^/ /$1 break;
    proxy_pass https://api.iugu.com/v1/;
    proxy_ssl_trusted_certificate /usr/local/nginx/conf/ssl/mysiteurl/mysiteurl-acme.cer;
    proxy_ssl_certificate /usr/local/nginx/conf/ssl/mysiteurl/mysiteurl-acme.cer;
    proxy_ssl_certificate_key /usr/local/nginx/conf/ssl/mysiteurl/mysiteurl-acme.key;
    proxy_ssl_verify       on;
    proxy_ssl_verify_depth 2;
    proxy_ssl_session_reuse on;
    proxy_ssl_protocols TLSv1.2;
    proxy_ssl_ciphers   TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GC$-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
    proxy_ssl_name mysiteurl;
    proxy_ssl_server_name on;
  }

Check they ssltest over cloudflare as you said: SSL Server Test: api.iugu.com (Powered by Qualys SSL Labs)

I'm trying my best, but I don't know what happened.

 

It's working, remote site is api.iugu.com

I'm talking with they, but they don't know what happen too.
I've tested by direct access from my DEV (running express as webserver) and it works, but by proxy with nginx it don't work :/

It seems now to be authentication with cloudflare from my site.
How can I send the certificate correctly to cloudflare authentication?

I've tried to uncomment these lines, but got Error 400.

Code (Text):

  ssl_client_certificate /usr/local/nginx/conf/ssl/cloudflare/mysiteurl/origin.crt;
  ssl_verify_client on;

 

I'm so grateful for all your help even outside of centminmod, you're really a great guy!
I hope to solve this issue fast as I can, I'll keep trying until fix it. Then it will help others too.

 

Hello guys,

I couldn't wait until fix this issue of communication between my nginx to remote api through ssl/tls, but is there a wordkaround.

I use centminmod to host any webapp or web page because the way to deal with nginx, php-fpm, vhosts with valid certificate by letsencrypt, ftp integrated, mariadb ready to use, cache, etc... and I love it for years.

This time I'm dealing with a vuejsApp that means pure static webapp (html,css,js).
From Javascript I call remote Api to work with dynamic data and all commands is from/to remote api.

My 1st try:
MyApp -> remote api directly.
failed due to CORS

My 2nd try:
MyApp -> remote api (throught nginx location /api/, then proxypass to https://remoteapiurl)
worked until days ago, when remote api has implemented cloudflare

My last try:
Create a new proxy hosted with MyApp to run with nodejs:

Code:

var express = require('express')
var proxy = require('http-proxy-middleware')
var app = express()
app.use('/api', proxy({ target: 'http://remoteapiurl', changeOrigin: true }))
app.listen(3000)

MyApp -> new proxy throught nginx location /api/ -> remote api

working


I hope it helps who have the same problem, or someone can solve the first 2 tries too.

 

That's exactly as was, my try 2.
Centmin Mod Nginx is my webserver hosting vueapp that's connect to this local proxy server in node (at same host).
Whats' changed?
Proxy. Instead off built-in nginx proxypass to remoteapi, now I need to proxypass to localhost proxy, that proxy again to remote api.

Just host local proxy inside private folder of MyApp that's on public.

 

Gotcha!

remote api is an internet app paid monthly, it's not mine.