apache · Revolyssup · Feb 25, 2025 · Feb 25, 2025 · Feb 25, 2025 · Feb 25, 2025
diff --git a/apisix/cli/ops.lua b/apisix/cli/ops.lua
@@ -529,7 +529,7 @@ Please modify "admin_key" in conf/config.yaml .
         end
 
         local combined_cert_filepath = yaml_conf.apisix.ssl.ssl_trusted_combined_path
-                                       or "/usr/local/apisix/conf/ssl_trusted_combined.pem"
+                                       or profile.apisix_home .. "/conf/ssl_trusted_combined.pem"
         util.gen_trusted_certs_combined_file(combined_cert_filepath, cert_paths)
 
         yaml_conf.apisix.ssl.ssl_trusted_certificate = combined_cert_filepath

diff --git a/apisix/cli/schema.lua b/apisix/cli/schema.lua
@@ -208,6 +208,7 @@ local config_schema = {
                     properties = {
                         ssl_trusted_certificate = {
                             type = "string",
+                            default = "system",
                         },
                         ssl_trusted_combined_path = {
                             type = "string",

diff --git a/conf/config.yaml.example b/conf/config.yaml.example
@@ -101,7 +101,7 @@ apisix:
       #   enable_http3: true
     ssl_trusted_combined_path: /usr/local/apisix/conf/ssl_trusted_combined.pem # All the trusted certificates will be combined into a single file
     #ssl_trusted_certificate: system              # Specifies comma separated list of trusted CA. Value can be either "system"(for using system available ca certs) or
-                                                # a file path with trusted CA certificates in the PEM format
+                                                # a file path with trusted CA certificates in the PEM format. The default value is "system".
     ssl_protocols: TLSv1.2 TLSv1.3                # TLS versions supported.
     ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
     ssl_session_tickets: false  # If true, session tickets are used for SSL/TLS connections.

diff --git a/t/cli/test_deployment_data_plane.sh b/t/cli/test_deployment_data_plane.sh
@@ -75,9 +75,9 @@ deployment:
 
 out=$(make run 2>&1 || true)
 make stop
-if ! echo "$out" | grep 'failed to load the configuration: https://127.0.0.1:12379: certificate verify failed'; then
-    echo "failed: should verify certificate by default"
+if  echo "$out" | grep 'failed to load the configuration: https://127.0.0.1:12379: certificate verify failed'; then
+    echo "failed: should verify certificate by default and not get certificate verify failed"
     exit 1
 fi
 
-echo "passed: should verify certificate by default"
+echo "passed: should verify certificate by default using system cert"