nic-6443 commented on issue #11720: URL: https://github.com/apache/apisix/issues/11720#issuecomment-4676893711
This works out of the box on APISIX 3.12.0 and later, and on 3.11.0 it was a configuration-placement problem rather than a bug. The `apisix.ssl.ssl_trusted_certificate` setting has to go into `config.yaml` (the static config), not `apisix.yaml` — in your compose setup the block was added to the standalone rules file, where it has no effect; also note YAML won't accept the same key twice, only the last one wins. Since 3.12.0 the default value is `system` (commit 2881b7f3b, #11993), so the cosocket trusts the OS CA bundle and a GoDaddy-signed Vault cert verifies with no extra config at all. One real limitation worth knowing: the vault secret manager doesn't support a per-manager `ssl_verify: false` (the field is silently ignored, see `apisix/secret/vault.lua` — only GCP has it), so for self-signed Vault certs you still need to add the CA to `config.yaml`'s `ssl_trusted_certificate`. I'd suggest closing this as resolved — the per-manager `ssl_verify` gap would make a fair separate feature request. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
