[GitHub] [apisix] spacewander edited a comment on issue #5155: request help: configure etcd mTLS warn certificate host mismatch

[GitBox <gi...@apache.org>]

spacewander edited a comment on issue #5155:
URL: https://github.com/apache/apisix/issues/5155#issuecomment-929948164


   We upgrade lua-resty-http in 2.10.0.
   
   Previously, it doesn't send SNI and verify the common name part in the certificate: https://github.com/ledgetech/lua-resty-http/issues/236
   This behavior is a bug and is fixed in the latest lua-resty-http.
   
   You need to use `openssl x509 -text -noout -in your_domain_cert` to see what's your common name in the certificate and change the host in the etcd URI to match the common name.
   
   For example, assume:
   
   ```
   $ openssl x509 -text -noout -in t/certs/etcd.pem
   Certificate:
       Data:
           Version: 3 (0x2)
           Serial Number:
               8d:cc:7a:ef:e0:25:54:cb
           Signature Algorithm: sha256WithRSAEncryption
           Issuer: C = CN, ST = Zhejiang, L = Hangzhou, O = test, OU = test, CN = blahblah
           Validity
               Not Before: Oct 28 03:33:02 2020 GMT
               Not After : Oct 28 03:33:02 2021 GMT
           Subject: C = CN, ST = Zhejiang, L = Hangzhou, O = test, OU = test, CN = etcd.cluster.local
   ```
   
   You need to change:
   ```
   etcd:
     host:
       - "https://192.168.27.11:2379"
   ```
   to
   ```
   etcd:
     host:
       - "https://etcd.cluster.local:2379"
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org