SSL Broken b/w Shrpx Client and Server?

[n0wa11]

I suspect that the ssl handshake has some problem. How do you think?

Setting 1

Chrome (http proxy) <--> (1) shrpx: client-proxy=yes <--> Internet 
     <--> (2) shrpx: spdy-proxy=yes <--> squid

I got the following error, which disappears once I add insecure=yes to (1) shrpx. Playing around backend-tls-sni-field doesn't help.

[ERROR] Certificate verification failed: self signed certificate in certificate chain
       (shrpx_ssl.cc:488)

(2) shrpx uses SNI, but there is no self signed certificate.

Setting 2

Chrome (secure proxy) <-->  Internet 
     <--> (2) shrpx: spdy-proxy=yes <--> squid

No problems.

Actually, the site gets a A score on https://www.ssllabs.com/ssltest/.

[tatsuhiro-t]

shrpx (1) may not have trusted CA certificate files to validate shrpx (2). See --cacert option.

[n0wa11]

Indeed, I didn't set the --cacert option.

Mac OS X doesn't seem to store the CA certificates as files in a folder. Am I out of luck here?

[n0wa11]

I guess I could bundle a copy of all the certificates with the software package, just like Firefox.