You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2021/09/29 08:18:42 UTC
[GitHub] [apisix] spacewander edited a comment on issue #5155: request help: configure etcd mTLS warn certificate host mismatch
spacewander edited a comment on issue #5155:
URL: https://github.com/apache/apisix/issues/5155#issuecomment-929948164
We upgrade lua-resty-http in 2.10.0.
Previously, it doesn't send SNI and verify the common name part in the certificate: https://github.com/ledgetech/lua-resty-http/issues/236
This behavior is a bug and is fixed in the latest lua-resty-http.
You need to use `openssl x509 -text -noout -in your_domain_cert` to see what's your common name in the certificate and change the host in the etcd URI to match the common name.
For example, assume:
```
$ openssl x509 -text -noout -in t/certs/etcd.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
8d:cc:7a:ef:e0:25:54:cb
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = Zhejiang, L = Hangzhou, O = test, OU = test, CN = blahblah
Validity
Not Before: Oct 28 03:33:02 2020 GMT
Not After : Oct 28 03:33:02 2021 GMT
Subject: C = CN, ST = Zhejiang, L = Hangzhou, O = test, OU = test, CN = etcd.cluster.local
```
You need to change:
```
etcd:
host:
- "https://192.168.27.11:2379"
```
to
```
etcd:
host:
- "https://etcd.cluster.local:2379"
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org