Using proxy_ssl_verify getting error: upstream SSL certificate verify error: (20:unable to get local issuer certificate)
justink101
nginx-forum at nginx.us
Wed Aug 13 01:12:34 UTC 2014
I am trying to use proxy_ssl_verify on, but I am getting back 502 Bad
Gateway. When I look at the logs I see:
2014/08/12 18:08:03 [error] 21007#0: *3 upstream SSL certificate verify
error: (20:unable to get local issuer certificate) while SSL handshaking to
upstream, client: XX.XXX.XXX.214, server: api.mydomain.io, request: "GET /v1
HTTP/1.1", upstream: "https://XXX.XXX.XXX.150:443/api/", host:
"api.mydomain.io".
I am using a proxy_ssl_trusted_certificate which is pointing to the valid CA
trust file. Here are the significant portions of the config.
location ~ ^/v1/?(?<url>.+)? {
resolver 208.67.222.222 208.67.220.220 valid=300s;
resolver_timeout 10s;
proxy_intercept_errors on;
proxy_hide_header Vary;
proxy_set_header Host "$remote_user.mydomain.io";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://$remote_user.mydomain.io/api/$url;
proxy_connect_timeout 10s;
proxy_read_timeout 60s;
proxy_ssl_session_reuse on;
proxy_ssl_trusted_certificate /etc/pki/tls/certs/ca-bundle.crt;
proxy_ssl_verify on;
proxy_ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM
EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256
EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNU$
}
The SSL certificate for the upstream is indeed valid as verified with SSL
Labs.
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,252518,252518#msg-252518
More information about the nginx
mailing list