How to configure an Upstream MP protected by TLS cert that has been issued by a private CA?

I have a Edge 16.05 installation.

The connection between the router and the MP is protected by TLS, as described here.

The cert is issued by an internal CA - not a public CA.

Is there anything special I need to do to get nginx to trust the upstream cert?

Right now when I try to invoke an API proxy deployed to my secure vhost, I get a 502, and nginx says "no live upstreams".

I can actually manually tickle the upstream with curl, but I see a cert issue when I do so.

I am *guessing* that the 502 is resulting from a TLS negotiation failure between nginx and the upstream. Basically it's directly parallel to the TLS failure between curl and the upstream.

I thought that all of the nginx configuration would all be auto-magically generated. But I don't see a statement anywhere in /opt/nginx/conf.d/* like

proxy_ssl_trusted_certificate  /some/file/name/here.crt

...at this time, which I thought was necessary in order to tell nginx to trust an upstream TLS cert that is issued by a non-root CA.

Help? @Maudrit @Paul Mibus

0 1 258
1 REPLY 1

Try:

apigee-service edge-router stop
rm -f /opt/nginx/conf.d/*
apigee-service edge-router start

Depending on your version you could be running into an issue where the Nginx config doesn't properly regenerate when SSL is enabled.