I am trying to use proxy_ssl_verify on, but I am getting back 502 Bad Gateway. When I look at the logs I see:
2014/08/12 18:08:03 [error] 21007#0: *3 upstream SSL certificate verify error: (20:unable to get local issuer certificate) while SSL handshaking to upstream, client: XX.XXX.XXX.214, server: api.mydomain.io, request: "GET /v1 HTTP/1.1", upstream: "https://XXX.XXX.XXX.150:443/api/";, host: "api.mydomain.io". I am using a proxy_ssl_trusted_certificate which is pointing to the valid CA trust file. Here are the significant portions of the config. location ~ ^/v1/?(?<url>.+)? { resolver 208.67.222.222 208.67.220.220 valid=300s; resolver_timeout 10s; proxy_intercept_errors on; proxy_hide_header Vary; proxy_set_header Host "$remote_user.mydomain.io"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass https://$remote_user.mydomain.io/api/$url; proxy_connect_timeout 10s; proxy_read_timeout 60s; proxy_ssl_session_reuse on; proxy_ssl_trusted_certificate /etc/pki/tls/certs/ca-bundle.crt; proxy_ssl_verify on; proxy_ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNU$ } The SSL certificate for the upstream is indeed valid as verified with SSL Labs. Posted at Nginx Forum: http://forum.nginx.org/read.php?2,252518,252518#msg-252518 _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
