Skip to content

Increase proxy_ssl_verify_depth to handle intermediate certificates#182

Merged
rpardini merged 1 commit into
rpardini:masterfrom
calvincheng8:master
Jul 1, 2026
Merged

Increase proxy_ssl_verify_depth to handle intermediate certificates#182
rpardini merged 1 commit into
rpardini:masterfrom
calvincheng8:master

Conversation

@calvincheng8

Copy link
Copy Markdown
Contributor

Receiving SSL error now since an intermediate certificate is added to docker.io

2026/06/15 19:12:14 [error] 75#75: *11 upstream SSL certificate verify error: (22:certificate chain too long) while SSL handshaking to upstream, client: 127.0.0.1, server: proxy_caching_, request: "GET /token?scope=repository%3Alibrary%2Fubuntu%3Apull&service=registry.docker.io HTTP/1.1", upstream: "https://104.18.43.178:443/token?scope=repository%3Alibrary%2Fubuntu%3Apull&service=registry.docker.io", host: "auth.docker.io"
2026/06/15 19:12:14 [warn] 75#75: *11 upstream server temporarily disabled while SSL handshaking to upstream, client: 127.0.0.1, server: proxy_caching_, request: "GET /token?scope=repository%3Alibrary%2Fubuntu%3Apull&service=registry.docker.io HTTP/1.1", upstream: "https://104.18.43.178:443/token?scope=repository%3Alibrary%2Fubuntu%3Apull&service=registry.docker.io", host: "auth.docker.io"

Increasing the proxy_ssl_verify_depth to 3, the problem is fixed.

{"access_time":"15/Jun/2026:19:21:50 +0000","upstream_cache_status":"HIT","method":"HEAD","uri":"/v2/library/ubuntu/manifests/24.04","request_type":"manifest-secondary","status":"200","bytes_sent":"0","upstream_response_time":"","host":"registry-1.docker.io","proxy_host":"registry-1.docker.io","upstream":""}
{"access_time":"15/Jun/2026:19:21:50 +0000","upstream_cache_status":"","method":"GET","uri":"/v2/library/ubuntu/referrers/sha256:01a14a568a5c77390e74eefc7a2106206f4605338cb7e86e8bf06a18452b5169","request_type":"unknown","status":"401","bytes_sent":"157","upstream_response_time":"0.328","host":"registry-1.docker.io","proxy_host":"registry-1.docker.io","upstream":"54.234.221.194:443"}
{"access_time":"15/Jun/2026:19:21:50 +0000","upstream_cache_status":"","method":"GET","uri":"/token","request_type":"unknown","status":"200","bytes_sent":"5421","upstream_response_time":"0.131","host":"auth.docker.io","proxy_host":"auth.docker.io","upstream":"104.18.43.178:443"}
{"access_time":"15/Jun/2026:19:21:51 +0000","upstream_cache_status":"","method":"GET","uri":"/v2/library/ubuntu/referrers/sha256:01a14a568a5c77390e74eefc7a2106206f4605338cb7e86e8bf06a18452b5169","request_type":"unknown","status":"200","bytes_sent":"89","upstream_response_time":"0.340","host":"registry-1.docker.io","proxy_host":"registry-1.docker.io","upstream":"3.238.169.28:443"}

Fixes #181

@ChristianCiach

Copy link
Copy Markdown

Pinging @rpardini for attention. This is an important fix.

@rpardini rpardini merged commit f341c1d into rpardini:master Jul 1, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

proxy_ssl_verify_depth 2; not enough anymore

3 participants