Why is my reverse proxy causing ssl handshake errors with my home server?

[Ava.R]

I’ve been trying to set up a reverse proxy for my home server, but I keep running into weird SSL handshake errors between my VPS and the backend service. The configuration seems right, but something in the certificate chain or the proxy pass directives must be off. Has anyone else hit a wall with this specific setup?

[BrandonRM]

I ran into this last winter. VPS nginx proxying to my home server over TLS. The handshake kept failing with a certificate chain error. It turned out the proxy didn't have the intermediate certs installed, so the chain looked incomplete to clients. After I added the full chain to the proxy cert bundle, the errors disappeared and the backend cert verified.

[Kyle19]

For me it wasn't the chain at first; it was SNI. The backend would present the right cert only when the Host header matched, and the proxy sent something generic. I forced the upstream to use SNI and ensured the hostname matched, and that helped—at least for some clients.

[NatalieL]

Another time I thought the problem was the cert, but I later realized the issue was that the proxy_pass was pointing to http on the backend while TLS was expected end to end. The connection was getting blocked by a policy on the upstream TLS version. I swapped to a TLS passthrough instead of termination and that stalled my timeline, but I paused there rather than chase every cipher flag.

[Mark_P]

Have you checked whether the certificate on the upstream matches the hostname your proxy uses, or if there is a mismatch in the trust chain between the VPS and the backend?