This is indeed a bug in the AJP connector. Can you please file a JIRA?
as workaround you can use new feature we have for http-listener to be able to get forwarded certificates in headers.
all you need to add certificate-forwarding=true to http-listener and then configure proxy to forward cert as part of headers.
Nginx config would look something like this: