Help on proxy_ssl_trusted_certificate

alpotr nginx-forum at forum.nginx.org
Sun Jun 25 01:36:17 UTC 2017


Hi,

I am trying to validate the upstream server by enabling the
proxy_ssl_trusted_certficate and proxy_ssl_verify. I've tried to build the
pem in so many ways. I tried just the CA, CA + intermmediate,
CA+intermmediate + server. But I still keep getting this error message. 

2017/06/24 23:56:31 [error] 3512#0: *1 upstream SSL certificate verify
error: (20:unable to get local issuer certificate) while SSL handshaking t
o upstream, client: 127.0.0.1, server: , request: "POST / HTTP/1.1",
upstream: "https://203.105.61.190:443/", host: "localhost:8443"

Below is my config file and my current pem file. I've commented in and out a
number of this options but they still don't work.

The test website is https://test.paydollar.com. The pem file is created by
downloading it through the browser.

The way I tested this is by issuing a curl request like this:

curl -X POST http://localhost:8443/x

Config File:
--------------------------------------------------
server {
        listen       8443;

        location / {
#            proxy_set_header Host      $host;
#            proxy_set_header Host      $remote_addr;
#            proxy_set_header X-Real-IP $remote_addr;
#            proxy_set_header X-Forwarded-Host $host;
#            proxy_set_header X-Forwarded-Server $host;
#            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass https://test.paydollar.com;
            proxy_ssl_verify on;
            proxy_ssl_trusted_certificate /etc/nginx/conf.d/test2.pem;
#            proxy_ssl_name "test.paydollar.com";
#            proxy_ssl_verify_depth 2;
#            proxy_ssl_server_name on;
        }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
}
-------------------------------------

PEM File:

-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz
NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE
AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD
E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH
/PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy
DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh
GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR
tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA
AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX
WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu
9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr
gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo
2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO
LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
4uJEvlz36hz1
-----END CERTIFICATE-----



Thanks.

Alf

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,275124,275124#msg-275124



More information about the nginx mailing list