Team city agent can't connect to server via nginx proxy

I have been tasked with updating a long-dormant Team City installation (version 8.14) to the current version (2018.2), and enable connections via HTTPS.

I set up a test server and client, clones of the production servers. After testing the version upgrade, I successfully updated the server, running on Ubuntu Linux 16.04 LTS, Here's the relevant connector from server.xml:

<Connector port="80" protocol="org.apache.coyote.http11.Http11NioProtocol"
connectionTimeout="60000"
redirectPort="8543"
useBodyEncodingForURI="true"
socket.txBufSize="64000"
socket.rxBufSize="64000"
tcpNoDelay="1"
/>

The agent connects with no problems.Here's buildAgent,properties:

#Generated properties (see buildAgent.dist.properties for description)
#Tue Apr 29 16:15:32 UTC 2014
name=Delphi XE2 Agent-1
ownPort=9090
serverUrl=http\://10.0.0.26
workDir=D\:\\BuildAgent\\work
tempDir=D\:\\BuildAgent\\temp
systemDir=D\:\\BuildAgent\\system
#User defined properties
#Tue Apr 29 16:15:32 UTC 2014
#authorizationToken=548741ff342a8d446f395f1387cb0562
authorizationToken=8bf191303710828de8f92ad55aa44e4f
env.TEAMCITY_JRE=D\:\\BuildAgent\\jre
ownAddress=10.0.0.132

That worked, so I shut down the production servers (there's some time before the folks need to use this -- I'm un-mothballing these servers) and was working on the test systems.

Now I tried setting up SSL connectivity, using nginx as the proxy server. Relevant connector from server.xml, (with domain switched to "example.com")
<Connector
relaxedPathChars="[]|"
relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
acceptCount="100"
connectionTimeout="20000"
disableUploadTimeout="true"
enableLookups="false"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
port="8080"
protocol="HTTP/1.1"
proxyName="teamtest.example.com"
proxyPort="443"
redirectPort="8443"
secure="true"
scheme="https"
useBodyEncodingForURI="true"
/>

Nginx config file (some ideas swiped from my Jira proxy config):

server {
listen 443 ssl;
server_name teamtest.example.com;
ssl_certificate /etc/ssl/certs/star_example_com.crt;
ssl_certificate_key /etc/ssl/private/star_example_com.key;
ssl_protocols TLSv1.2 TLSv1.1;
# NGINX usually only allows 1M per request. Increase
# maximum attachment size (10M by default)
client_max_body_size 10M;

# Added 11/20/17 for additional security T.O.
ssl_prefer_server_ciphers on;
ssl_ciphers
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!RC4:!3DES:!MD5:!PSK';
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# End 11/20/17

location / {
proxy_http_version 1.1;
proxy_set_header Host $server_name:$server_port;
proxy_set_header X-Forwarded-Host $http_host; # necessary for proper absolute redirects and TeamCity CSRF check
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade; # WebSocket support
proxy_set_header Connection "Upgrade"; # WebSocket sup
proxy_pass http://teamtest.example.com:8080;
}
}

This works, and I can connect to the web interface with my browser pointing to https://teamtest.example.com.

I should also mention that the certificate is from a recognized vendor, not self-signed.

For the agent, it's a different story, buildagent.properties:

## TeamCity build agent configuration file

######################################
# Required Agent Properties #
######################################

## The address of the TeamCity server. The same as is used to open TeamCity web interface in the browser.
## Example: serverUrl=https://buildserver.mydomain.com:8111
serverUrl=https\://teamtest.example.com\:443

## The unique name of the agent used to identify this agent on the TeamCity server
## Use blank name to let server generate it.
## By default, this name would be created from the build agent's host name
name=Delphi XE2 Agent

## Container directory to create default checkout directories for the build configurations.
## TeamCity agent assumes ownership of the directory and will delete unknown directories inside.
workDir=D\:\\BuildAgent\\work

## Container directory for the temporary directories.
## TeamCity agent assumes ownership of the directory. The directory may be cleaned between the builds.
tempDir=D\:\\BuildAgent\\temp

## Container directory for agent state files and caches.
## TeamCity agent assumes ownership of the directory and can delete content inside.
systemDir=D\:\\BuildAgent\\system

######################################
# Optional Agent Properties #
######################################

## A token which is used to identify this agent on the TeamCity server for agent authorization purposes.
## It is automatically generated and saved back on the first agent connection to the server.
authorizationToken=

######################################
# Default Build Properties #
######################################
## All properties starting with "system.name" will be passed to the build script as "name"
## All properties starting with "env.name" will be set as environment variable "name" for the build process
## Note that value should be properly escaped. (use "\\" to represent single backslash ("\"))
## More on file structure: http://java.sun.com/j2se/1.5.0/docs/api/java/util/Properties.html#load(java.io.InputStream)

# Build Script Properties

#system.exampleProperty=example Value

# Environment Variables

#env.exampleEnvVar=example Env Value
env.TEAMCITY_JRE=D\:\\BuildAgent\\jre
ownPort=9090

When I try to start the agent, I get the following in teamcity-agent.log:

2018-12-07 19:49:21,242] INFO - buildServer.AGENT.registration - Registering on server via URL "https://teamtest.example.com:443": AgentDetails{Name='Delphi XE2 Agent', AgentId=null, BuildId=null, AgentOwnAddress='null', AlternativeAddresses=[10.0.0.148, 54.158.33.12], Port=9090, Version='58658', PluginsVersion='NA', AvailableRunners=[], AvailableVcs=[], AuthorizationToken='', PingCode='whpDdwQTLgz04Cdy6QqcpAKBWzy2Kt65'}
[2018-12-07 19:49:21,242] WARN - buildServer.AGENT.registration - Error while asking server for the communication protocols via URL https://teamtest.example.com:443/app/agents/protocols. Will try later: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (enable debug to see stacktrace)
[2018-12-07 19:49:21,242] WARN - buildServer.AGENT.registration - Error registering on the server via URL https://teamtest.example.com:443. Will continue repeating connection attempts.

When I try https://teamtest.example.com:443/app/agents/protocols in my browser, I get: <list><string>polling</string></list>,.

I've spent several hours using my google-foo to no avail. Can someone here point me in the right direction? Thanks in advance!

Tadas