Forum: NGINX Using proxy_ssl_verify getting error: upstream SSL certificate verify error: (20:unable to get local

2974d09ac2541e892966b762aad84943?d=identicon&s=25 justink101 (Guest)
on 2014-08-13 03:13
(Received via mailing list)
I am trying to use proxy_ssl_verify on, but I am getting back 502 Bad
Gateway. When I look at the logs I see:

2014/08/12 18:08:03 [error] 21007#0: *3 upstream SSL certificate verify
error: (20:unable to get local issuer certificate) while SSL handshaking
to
upstream, client: XX.XXX.XXX.214, server: api.mydomain.io, request: "GET
/v1
HTTP/1.1", upstream: "https://XXX.XXX.XXX.150:443/api/", host:
"api.mydomain.io".

I am using a proxy_ssl_trusted_certificate which is pointing to the
valid CA
trust file. Here are the significant portions of the config.

location ~ ^/v1/?(?<url>.+)? {
    resolver 208.67.222.222 208.67.220.220 valid=300s;
    resolver_timeout 10s;
    proxy_intercept_errors on;
    proxy_hide_header Vary;
    proxy_set_header Host "$remote_user.mydomain.io";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass https://$remote_user.mydomain.io/api/$url;
    proxy_connect_timeout 10s;
    proxy_read_timeout 60s;
    proxy_ssl_session_reuse on;
    proxy_ssl_trusted_certificate /etc/pki/tls/certs/ca-bundle.crt;

    proxy_ssl_verify on;
    proxy_ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM
EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384
EECDH+aRSA+SHA256
EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNU$
  }

The SSL certificate for the upstream is indeed valid as verified with
SSL
Labs.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,252518,252518#msg-252518
2974d09ac2541e892966b762aad84943?d=identicon&s=25 justink101 (Guest)
on 2014-08-13 03:14
(Received via mailing list)
Sorry, the proxy_ssl_ciphers directive got cut off, in full it is:

    proxy_ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM
EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384
EECDH+aRSA+SHA256
EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP
!PSK
!SRP !DSS";

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,252518,252519#msg-252519
2974d09ac2541e892966b762aad84943?d=identicon&s=25 justink101 (Guest)
on 2014-08-17 06:22
(Received via mailing list)
Setting:

proxy_ssl_verify_depth 2;

Fixed the issue. Can somebody explain why this is needed and why the
default
setting is 1? I am using a standard wildcard SSL certificate from
GoDaddy.

Thanks

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,252518,252620#msg-252620
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2014-08-17 19:32
(Received via mailing list)
Hello!

On Sun, Aug 17, 2014 at 12:21:41AM -0400, justink101 wrote:

> Setting:
>
> proxy_ssl_verify_depth 2;
>
> Fixed the issue. Can somebody explain why this is needed and why the default
> setting is 1? I am using a standard wildcard SSL certificate from GoDaddy.

The default is in line with ssl_verify_depth
(http://nginx.org/r/ssl_verify_depth) and assumes you directly
control root of the certificates being verified.

--
Maxim Dounin
http://nginx.org/
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.