[GH-ISSUE #2742] routines:ssl3_read_bytes:tlsv1 unrecognized name

kerem commented

2026-02-26 07:32:56 +03:00

Owner

Originally created by @franciscopaniskaseker on GitHub (Mar 24, 2023).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2742

Checklist

Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
- Yes
Are you sure you're not using someone else's docker image?
- Yes
Have you searched for similar issues (both open and closed)?
- Yes

Describe the bug
When I execute this curl

curl https://192.168.1.173:443
curl: (35) error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name

I got tlsv1 error. Intried to enable tlsv1 and setup a cert, but did not work. Is this an openresty problem or npm config?

Nginx Proxy Manager Version
latest, installed yesterday.

To Reproduce
just execute the curl under https://ip:443

Expected behavior
passthrough ssl handshake without problems.

Operating System
ubuntu 20.05

Originally created by @franciscopaniskaseker on GitHub (Mar 24, 2023). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2742 **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - Yes - Are you sure you're not using someone else's docker image? - Yes - Have you searched for similar issues (both open and closed)? - Yes **Describe the bug** When I execute this curl ``` curl https://192.168.1.173:443 curl: (35) error:14094458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name ``` I got tlsv1 error. Intried to enable tlsv1 and setup a cert, but did not work. Is this an openresty problem or npm config? **Nginx Proxy Manager Version** latest, installed yesterday. **To Reproduce** just execute the curl under https://ip:443 **Expected behavior** passthrough ssl handshake without problems. **Operating System** ubuntu 20.05

kerem added the

stale

bug

labels

2026-02-26 07:32:56 +03:00

kerem commented

2026-02-26 07:32:57 +03:00

Author

Owner

@Balder1840 commented on GitHub (Aug 7, 2023):

I got the same issue when set the proxy_host's Domain Name as an IP address.
It seems that the SNI does not support literal IP address.

check following links:
https://serverfault.com/questions/1047374/nginx-and-https-specifying-an-ip-address-as-a-server-name-gives-the-correct-we
https://nginx.org/en/docs/http/configuring_https_servers.html
https://github.com/openssl/openssl/issues/8083
https://github.com/haproxy/haproxy/issues/332#issuecomment-544969151
https://www.rfc-editor.org/rfc/rfc6066#section-3
https://www.ietf.org/archive/id/draft-nygren-tls-ip-in-sni-00.html

And please let me know if u solved this.
Thanks.

@Balder1840 commented on GitHub (Aug 7, 2023): I got the same issue when set the proxy_host's Domain Name as an IP address. It seems that the SNI does not support literal IP address. > check following links: > https://serverfault.com/questions/1047374/nginx-and-https-specifying-an-ip-address-as-a-server-name-gives-the-correct-we > https://nginx.org/en/docs/http/configuring_https_servers.html > https://github.com/openssl/openssl/issues/8083 > https://github.com/haproxy/haproxy/issues/332#issuecomment-544969151 > https://www.rfc-editor.org/rfc/rfc6066#section-3 > https://www.ietf.org/archive/id/draft-nygren-tls-ip-in-sni-00.html And please let me know if u solved this. Thanks.

kerem commented

2026-02-26 07:32:57 +03:00

Author

Owner

@dinbtechit commented on GitHub (Mar 14, 2024):

I'm having the same issue here. Unfortunately not sure how to fix it. As per the suggestion in #3627 I created a self-signed cert and uploaded it as a custom cert and restarted the nginx proxy but still the https is not working.

I poked around the configuration a bit. The Ngixs 443 SSL configuration does not appear to have any location.

Exec into the container:

docker-compose exec app bash

and view the ngxis default.conf file

[root@docker-f4926e3b49c5:/etc/nginx/conf.d]# cat default.conf
# "You are not configured" page, which is the default if another default doesn't exist
server {
	listen 80;
	listen [::]:80;

	set $forward_scheme "http";
	set $server "127.0.0.1";
	set $port "80";

	server_name localhost-nginx-proxy-manager;
	access_log /data/logs/fallback_access.log standard;
	error_log /data/logs/fallback_error.log warn;
	include conf.d/include/assets.conf;
	include conf.d/include/block-exploits.conf;
	include conf.d/include/letsencrypt-acme-challenge.conf;

	location / {
		index index.html;
		root /var/www/html;
	}
}

# First 443 Host, which is the default if another default doesn't exist
server {
	listen 443 ssl;
	listen [::]:443 ssl;

	set $forward_scheme "https";
	set $server "127.0.0.1";
	set $port "443";

	server_name localhost;
	access_log /data/logs/fallback_access.log standard;
	error_log /dev/null crit;
	include conf.d/include/ssl-ciphers.conf;
	ssl_reject_handshake on;

	return 444;
}

There is some documentation on how to override the nginx config but no idea how to update the server 443 session.
https://nginxproxymanager.com/advanced-config/#custom-nginx-configurations

Hope someone who has a better knowledge ngix Proxy manager can help to figure out how to fix this. 🙏🙏

@dinbtechit commented on GitHub (Mar 14, 2024): I'm having the same issue here. Unfortunately not sure how to fix it. As per the suggestion in #3627 I created a self-signed cert and uploaded it as a custom cert and restarted the nginx proxy but still the https is not working. I poked around the configuration a bit. The Ngixs 443 SSL configuration does not appear to have any location. **Exec into the container:** ``` docker-compose exec app bash ``` and view the ngxis `default.conf` file ``` [root@docker-f4926e3b49c5:/etc/nginx/conf.d]# cat default.conf # "You are not configured" page, which is the default if another default doesn't exist server { listen 80; listen [::]:80; set $forward_scheme "http"; set $server "127.0.0.1"; set $port "80"; server_name localhost-nginx-proxy-manager; access_log /data/logs/fallback_access.log standard; error_log /data/logs/fallback_error.log warn; include conf.d/include/assets.conf; include conf.d/include/block-exploits.conf; include conf.d/include/letsencrypt-acme-challenge.conf; location / { index index.html; root /var/www/html; } } # First 443 Host, which is the default if another default doesn't exist server { listen 443 ssl; listen [::]:443 ssl; set $forward_scheme "https"; set $server "127.0.0.1"; set $port "443"; server_name localhost; access_log /data/logs/fallback_access.log standard; error_log /dev/null crit; include conf.d/include/ssl-ciphers.conf; ssl_reject_handshake on; return 444; } ``` There is some documentation on how to override the nginx config but no idea how to update the server 443 session. https://nginxproxymanager.com/advanced-config/#custom-nginx-configurations Hope someone who has a better knowledge ngix Proxy manager can help to figure out how to fix this. 🙏🙏

kerem commented

2026-02-26 07:32:57 +03:00

Author

Owner

@akuznecov commented on GitHub (Mar 16, 2024):

Hello !

Just faced with same issue and seems it caused by ssl_reject_handshake on; instruction set on NPM virtual hosts configurations.

To avoid it you have to use modified cURL command, for example:

curl -k -I -X GET --resolve doman.name:80:192.168.0.228 https://domain.name

Additionally, on advanced configurations, when you have extra proxy server in front of NPM, then you have to add next lines on this extra proxy configuration (not to NPM):

  proxy_ssl_server_name  on;
  proxy_ssl_name         $http_host;

@akuznecov commented on GitHub (Mar 16, 2024): Hello ! Just faced with same issue and seems it caused by `ssl_reject_handshake on;` instruction set on NPM virtual hosts configurations. To avoid it you have to use modified cURL command, for example: ``` curl -k -I -X GET --resolve doman.name:80:192.168.0.228 https://domain.name ``` Additionally, on advanced configurations, when you have extra proxy server in front of NPM, then you have to add next lines on this extra proxy configuration (**not** to NPM): ``` proxy_ssl_server_name on; proxy_ssl_name $http_host; ```

kerem commented

2026-02-26 07:32:57 +03:00

Author

Owner

@stefano-cherchi commented on GitHub (Jun 28, 2024):

Just faced the same problem and the reason was I forgot to add

 proxy_ssl_server_name  on;

to my configuration

@stefano-cherchi commented on GitHub (Jun 28, 2024): Just faced the same problem and the reason was I forgot to add ```bash proxy_ssl_server_name on; ``` to my configuration

kerem commented

2026-02-26 07:32:57 +03:00

Author

Owner

@k4mil666 commented on GitHub (Sep 12, 2024):

Hello,

I'm currently facing this issue and attempted the suggested solution mentioned here, but unfortunately, it didn’t work for me. Has anyone managed to resolve this successfully? I would appreciate any advice or alternative solutions.

root@kk:~# curl https://192.168.2.17/
curl: (35) error:0A000458:SSL routines::t

Thank you in advance!

@k4mil666 commented on GitHub (Sep 12, 2024): Hello, I'm currently facing this issue and attempted the suggested solution mentioned here, but unfortunately, it didn’t work for me. Has anyone managed to resolve this successfully? I would appreciate any advice or alternative solutions. ``` root@kk:~# curl https://192.168.2.17/ curl: (35) error:0A000458:SSL routines::t ``` Thank you in advance!

kerem commented

2026-02-26 07:32:57 +03:00

Author

Owner

@k4mil666 commented on GitHub (Sep 13, 2024):

I managed to resolve the issue. The problem is that curl in its basic form (without additional options) doesn't send an SNI when an IP address is provided in the URL. In configuration, there's an option ssl_reject_handshake in the default.conf, which rejects connections without an SNI.

To solve this, you can create a file in data/custom/ called http_top.conf and include your configuration without this option. After that, the connection to the IP address should work.

@k4mil666 commented on GitHub (Sep 13, 2024): I managed to resolve the issue. The problem is that curl in its basic form (without additional options) doesn't send an SNI when an IP address is provided in the URL. In configuration, there's an option ssl_reject_handshake in the default.conf, which rejects connections without an SNI. To solve this, you can create a file in data/custom/ called http_top.conf and include your configuration without this option. After that, the connection to the IP address should work.

kerem commented

2026-02-26 07:32:57 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (Jun 12, 2025):

Issue is now considered stale. If you want to keep it open, please comment 👍

@github-actions[bot] commented on GitHub (Jun 12, 2025): Issue is now considered stale. If you want to keep it open, please comment :+1:

Rows
Columns

[GH-ISSUE #2742] routines:ssl3_read_bytes:tlsv1 unrecognized name #1885