We’re using ReverseProxyPlug in a Phoenix server, and we have been configuring it like so:
opts =
ReverseProxyPlug.init(
upstream: url,
allowed_origins: allowed_origins,
proxy_url: "#{cors_scheme}://#{cors_host}:#{cors_port}",
# We need to force the host
# used for ssl verification here so that the connection isn't rejected.
# Note that we have to convert the authority to a charlist, since this uses Erlang's `ssl` module
# internally, which expects a charlist.
client_options: [
ssl: [
{:server_name_indication, to_charlist(authority)},
{:versions, [:"tlsv1.2", :"tlsv1.3"]}
]
]
)
Thus, we’ve been getting the log message
~c"Server authenticity is not verified since certificate path validation is not enabled"
Reason: ~c"The option {verify, verify_peer} and one of the options ‘cacertfile’ or ‘cacerts’ are required to enable this."
So, I’ve updated to
opts =
ReverseProxyPlug.init(
upstream: url,
allowed_origins: allowed_origins,
proxy_url: "#{cors_scheme}://#{cors_host}:#{cors_port}",
# We need to force the host
# used for ssl verification here so that the connection isn't rejected.
# Note that we have to convert the authority to a charlist, since this uses Erlang's `ssl` module
# internally, which expects a charlist.
client_options: [
ssl: [
{:server_name_indication, to_charlist(authority)},
{:versions, [:"tlsv1.2", :"tlsv1.3"]},
{:verify, :verify_peer},
{:partial_chain, :auto},
{:cacerts, :public_key.cacerts_get()}
]
]
)
I’ve ensured that root certificates are installed on the system, and are used by openssl:
$ openssl s_client -connect www.archive.org:443
…
Verify return code: 0 (ok)
But now the proxy request fails, sending a status 502, and we’re still getting the log message
~c"Server authenticity is not verified since certificate path validation is not enabled"
Reason: ~c"The option {verify, verify_peer} and one of the options ‘cacertfile’ or ‘cacerts’ are required to enable this."
What should I look at to debug this?
