4

I am using proxy_pass directive to upstream https server. The proxy server is meant for LAN clients. The upstream https server uses letsencrypt. How do I configure SSL verification?

proxy_pass https://upstream.backend
proxy_verify_ssl on;
proxy_ssl_trusted_certificate <which_file_is_supposed_to_be_here>;
proxy_ssl_verify_depth <what_number_here>;
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
Mr Hyde
  • 153
  • 1
  • 7
  • Welcome to [sf]. I've removed your second unrelated question, as our Q&A format only permits one question per "question". Please feel free to research it separately and [post a new question](/questions/ask) if you haven't already found an answer for it. – Michael Hampton Dec 17 '17 at 19:41

1 Answers1

4

The documentation for proxy_ssl_trusted_certificate states:

Specifies a file with trusted CA certificates in the PEM format used to verify the certificate of the proxied HTTPS server.

Since you're validating public TLS certificates, you can point it at your system's CA certificate bundle. By default on Red Hat derived systems this is /etc/pki/tls/certs/ca-bundle.crt or /etc/pki/tls/certs/ca-bundle.trust.crt. Your location may vary if you for some reason don't use a Red Hat derived system as your web server.

If you want, you can also download Let's Encrypt's CA certificate separately, place that on your filesystem somewhere, and point at it.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • For some reason I couldn't decipher, pointing to the downloaded certificate wouldn't work for me. Pointing to the system CA cert file works... Thanks – Mr Hyde Dec 17 '17 at 20:20