I am trying to use proxy_ssl_verify on, but I am getting back 502 Bad Gateway. When I look at the logs I see:
2014/08/12 18:08:03 [error] 21007#0: *3 upstream SSL certificate verify error: (20:unable to get local issuer certificate) while SSL handshaking to upstream, client: XX.XXX.XXX.214, server: api.mydomain.io, request: "GET /v1 HTTP/1.1", upstream: "https://XXX.XXX.XXX.150:443/api/", host: "api.mydomain.io".
I am using a proxy_ssl_trusted_certificate which is pointing to the valid CA trust file. Here are the significant portions of the config.
location ~ ^/v1/?(?<url>.+)? {
resolver 208.67.222.222 208.67.220.220 valid=300s;
resolver_timeout 10s;
proxy_intercept_errors on;
proxy_hide_header Vary;
proxy_set_header Host "$remote_user.mydomain.io";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://$remote_user.mydomain.io/api/$url;
proxy_connect_timeout 10s;
proxy_read_timeout 60s;
proxy_ssl_session_reuse on;
proxy_ssl_trusted_certificate /etc/pki/tls/certs/ca-bundle.crt;
proxy_ssl_verify on;
proxy_ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNU$
}
The SSL certificate for the upstream is indeed valid as verified with SSL Labs.