You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2021/05/27 09:04:18 UTC

[GitHub] [apisix] Uangski opened a new issue #4322: request help: etcd TLS 模式疑问

Uangski opened a new issue #4322:
URL: https://github.com/apache/apisix/issues/4322


   你好，我有 etcd集群，设置了 tls 方式连接，有 ca-file、key-file 以及 cert-file 三个文件，如何配置 apisix .conf 呢？
   模板里是这么配置的
   etcd:  
   host:    
     - "https://admin.apisix.dev:22379"  
     prefix: "/apisix"  
     tls:    
       cert: t/certs/mtls_client.crt    
       key: t/certs/mtls_client.key 
   
   模板里只有 cert和key 。没有ca选项，最终连接不了 etcd集群。请问下我这种情况，该如何配置呢？
   
   
   
   
   
   
   ### Issue description
   
   ### Environment
   
   Request help without environment information will be ignored or closed.
   
   * apisix version (cmd: `apisix version`):
   * OS (cmd: `uname -a`):
   * OpenResty / Nginx version (cmd: `nginx -V` or `openresty -V`):
   * etcd version, if have (cmd: run `curl http://127.0.0.1:9090/v1/server_info` to get the info from server-info API):
   * apisix-dashboard version, if have:
   * luarocks version, if the issue is about installation (cmd: `luarocks --version`):
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] Uangski commented on issue #4322: request help: etcd TLS 模式疑问

Posted by GitBox <gi...@apache.org>.

Uangski commented on issue #4322:
URL: https://github.com/apache/apisix/issues/4322#issuecomment-849515007


   设置相关参数，如下：
   ssl_trusted_certificate: "/opt/etcd/ssl/ca.pem"
     tls:
       key: "/opt/etcd/ssl/client-key.pem"
       cert: "/opt/etcd/ssl/client.pem"
       verify: true
   日志报错：
   2021/05/27 10:09:13 [error] 44#44: *16 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42), context: ngx.timer
   2021/05/27 10:09:13 [error] 44#44: *24 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42), context: ngx.timer
   2021/05/27 10:09:13 [error] 45#45: *34 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42), context: ngx.timer
   2021/05/27 10:09:13 [error] 45#45: *49 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42), context: ngx.timer
   请问有可能是哪里出问题了呢？用 etcdctl --endpoints="https://192.168.58.128:2379" --cacert="/opt/etcd/ssl/ca.pem" --key="/opt/etcd/ssl/client-key.pem"  --cert="/opt/etcd/ssl/client.pem" get /apisix/plugins  是可以返回内容的。
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander commented on issue #4322: request help: etcd TLS

Posted by GitBox <gi...@apache.org>.

spacewander commented on issue #4322:
URL: https://github.com/apache/apisix/issues/4322#issuecomment-851323949


   Closed as lack of response.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tokers commented on issue #4322: request help: etcd TLS 模式疑问

Posted by GitBox <gi...@apache.org>.

tokers commented on issue #4322:
URL: https://github.com/apache/apisix/issues/4322#issuecomment-849493740


   @Uangski You should set `ssl_trusted_certificates` item, see https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L116 for the details.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] spacewander closed issue #4322: request help: etcd TLS

Posted by GitBox <gi...@apache.org>.

spacewander closed issue #4322:
URL: https://github.com/apache/apisix/issues/4322


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] waringid commented on issue #4322: request help: etcd TLS

Posted by GitBox <gi...@apache.org>.

waringid commented on issue #4322:
URL: https://github.com/apache/apisix/issues/4322#issuecomment-962813808


   > 设置相关参数，如下： ssl_trusted_certificate: "/opt/etcd/ssl/ca.pem" tls: key: "/opt/etcd/ssl/client-key.pem" cert: "/opt/etcd/ssl/client.pem" verify: true 日志报错： 2021/05/27 10:09:13 [error] 44#44: *16 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42), context: ngx.timer 2021/05/27 10:09:13 [error] 44#44: *24 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42), context: ngx.timer 2021/05/27 10:09:13 [error] 45#45: *34 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42), context: ngx.timer 2021/05/27 10:09:13 [error] 45#45: *49 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42), context: ngx.timer 请问有可能是哪里出问题了呢？用 etcdctl --endpoints="https://
 192.168.58.128:2379" --cacert="/opt/etcd/ssl/ca.pem" --key="/opt/etcd/ssl/client-key.pem" --cert="/opt/etcd/ssl/client.pem" get /apisix/plugins 是可以返回内容的。
   
   这个问题解决了吗？我也遇到同样的情况。


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tokers commented on issue #4322: request help: etcd TLS 模式疑问

Posted by GitBox <gi...@apache.org>.

tokers commented on issue #4322:
URL: https://github.com/apache/apisix/issues/4322#issuecomment-849546522


   @Uangski See https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L210, you should use the OpenResty for APISIX.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org