You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2021/09/24 00:36:55 UTC
[GitHub] [apisix] foreveryang321 commented on issue #5125: 同时配置 etcd tls 和 stream_proxy,etcd 连接不上问题
foreveryang321 commented on issue #5125:
URL: https://github.com/apache/apisix/issues/5125#issuecomment-926260631
> @foreveryang321 There should have some other logs which are related to the SSL handshaking, you may try to check them out, also, be sure you're using the APISIX OpenResty since the mTLS support relies on it.
> nginx/openresty版本
根据[https://github.com/api7/apisix-build-tools/blob/master/build-apisix-openresty.sh](https://github.com/api7/apisix-build-tools/blob/master/build-apisix-openresty.sh)构建
```txt
nginx version: openresty/1.19.3.2
built by gcc 10.2.1 20201203 (Alpine 10.2.1_pre1)
built with OpenSSL 1.1.1l 24 Aug 2021
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DAPISIX_OPENRESTY_VER=0.0.0' --add-module=../ngx_devel_kit-0.3.1 --add-module=../echo-nginx-module-0.62 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 --add-module=../srcache-nginx-module-0.32 --add-module=../ngx_lua-0.10.19 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 --add-module=../ngx_stream_lua-0.0.9 --with-ld-opt=-Wl,-rpath,/usr/local/openresty/luajit/lib --add-module=/tmp/tmp.MlGEBG/openresty-1.19.3.2/../mod_dubbo --add-module=/tmp/tmp.MlGEBG/openresty-1.19.3.2/../ngx_multi_upstream_module --add-module=/tmp/tmp.MlGEBG/openresty-1.19.3.2/
../apisix-nginx-module --add-module=/tmp/tmp.MlGEBG/openresty-1.19.3.2/../lua-var-nginx-module --with-poll_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat --with-stream --with-http_ssl_module
```
> 日志
```txt
2021/09/23 16:38:37 [warn] 46#46: *972324 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.1:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.1:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 46#46: *972324 stream [lua] health_check.lua:63: report_failure(): update endpoint: https://192.168.11.1:2379 to unhealthy, context: ngx.timer
2021/09/23 16:38:37 [warn] 46#46: *972324 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.1:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.1:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 46#46: *972324 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.2:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.2:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] health_check.lua:63: report_failure(): update endpoint: https://192.168.11.2:2379 to unhealthy, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.2:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.3:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.3:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] health_check.lua:63: report_failure(): update endpoint: https://192.168.11.3:2379 to unhealthy, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.3:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: request_chunk(): has no healthy etcd endpoint available. Retrying, context: ngx.timer
2021/09/23 16:38:37 [error] 49#49: *964289 stream [lua] config_etcd.lua:563: no healthy etcd endpoint available, next retry after 2s, context: ngx.timer
2021/09/23 16:38:37 [error] 43#43: *960186 stream [lua] config_etcd.lua:563: no healthy etcd endpoint available, next retry after 32s, context: ngx.timer
2021/09/23 16:38:38 [error] 45#45: *962215 stream [lua] config_etcd.lua:563: no healthy etcd endpoint available, next retry after 32s, context: ngx.timer
2021/09/23 16:38:39 [error] 46#46: *970612 stream [lua] config_etcd.lua:563: no healthy etcd endpoint available, next retry after 32s, context: ngx.timer
```
如果把 stream_proxy 部分配置注释掉就可以正常连接上etcd
```yaml
apisix:
id: "yl-mac"
node_listen: 9080
enable_ipv6: false
allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
- 0.0.0.0/0
admin_key:
- name: "admin"
key: edd1c9f034335f136f87ad84b625c8f1
role: admin
- name: "viewer"
key: 4054f7cf07e344346cd3f287985e76a2
role: viewer
ssl:
ssl_trusted_certificate: /usr/local/apisix/ssl/etcd-ca.pem
# stream_proxy:
# only: false
# tcp:
# - addr: 9200
# tls: true
etcd:
host:
# - "http://etcd:2379"
- "https://192.168.11.1:2379"
- "https://192.168.11.2:2379"
- "https://192.168.11.3:2379"
prefix: "/apisix"
timeout: 30
tls:
cert: /usr/local/apisix/ssl/etcd.pem
key: /usr/local/apisix/ssl/etcd-key.pem
verify: true
```
> docker-compose.yml
```yaml
version: "3.8"
services:
apisix:
image: apache/apisix:2.9-alpine
container_name: apisix
hostname: apisix
ports:
- "9080:9080"
- "9443:9443"
- "9200:9200"
volumes:
- ./conf/config.yaml/:/usr/local/apisix/conf/config.yaml
- ./ssl:/usr/local/apisix/ssl
- ./logs:/usr/local/apisix/logs
environment:
- "TZ=Asia/Shanghai"
restart: always
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org