nginx tlsv1 alert unknown ca:SSL alert number 48
Solution 1:
...ssl3_read_bytes:tlsv1 alert unknown ca
The upstream server can not validate the send client certificate since it is missing intermediate certificates. Therefore it sends back to nginx the cause of the problem as an alert. The fix is probably to add the necessary intermediate certificates to client.pem
in the right order (i.e. leaf certificate first, then what signed leaf certificate etc).
But why did it work with curl then: Depending on which TLS stack is used with curl and maybe depending on the version of curl it will automatically combine the certificate given with --cert
with matching intermediate certificates given in --cacert
and send the full chain to the server as part of the client certificate. If this is done then the server can successfully validate the client certificate.