Controls the OpenSSL Peer Verification. It is off by default, because OpenSSL can’t use system certificate store. It requires custom certificate bundle and adding it to trusted certificates.

It is recommended to use https://github.com/openresty/lua-nginx-module#lua_ssl_trusted_certificate and point to to certificate bundle generated by export-builtin-trusted-certs.

This explanation would be valid for the upstream APIcast, but not for 3scale product.

Should it be like this?

Controls the OpenSSL Peer Verification. It is off by default. When this option is enabled, the embedded certificate bundle will be used.

Basis:

• APIcast is intended for use as a container.
• In the container, a certificate bundle is linked in the Dockerfile and it is defined in /opt/app-root/src/http.d/ssl.conf

Dockerfile:

    ln --verbose --symbolic --force /etc/ssl/certs/ca-bundle.crt "/opt/app-root/src/conf" && \

ssl.conf:

lua_ssl_trusted_certificate "{{ ca_bundle | default: 'ca-bundle.crt' }}";