Nginx reverse proxy SSL handshake error
Solution 1:
Without duplicating the private key and certificate, the handshake cannot complete:
A TLS (version 1.3) handshake is initiated by a ClientHello
message, to which ServerHello
, EncryptedExtensions
, Certificate
, and CertificateVerify
messages are expected in response. The Certificate
message contains the certificate and the CertificateVerify
message contains a signature computed using the private key. Hence, the handshake cannot complete without duplicating the private key and certificate.
You need to duplicate.
When you think about the properties of SSL/TLS, the need for duplication should become intuitive, because SSL/TLS is used for server authentication (which requires the private key, otherwise authentication wouldn't be achieved).
Alternatively, you could use two distinct private keys and certificates. I'll elaborate if that's acceptable for you.