You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2021/06/07 06:40:00 UTC

[GitHub] [apisix] gzhsnail opened a new issue #4384: bug: apisix 链接 etcd, 提示证书认证失败

gzhsnail opened a new issue #4384:
URL: https://github.com/apache/apisix/issues/4384


   ### Issue description
   apisix 链接 etcd 提示证书认证失败
   ### Environment
   
   Bug report without environment information will be ignored or closed.
   
   * apisix version (cmd: `apisix version`): 2.6.0
   * OS (cmd: `uname -a`):centos 7
   * OpenResty / Nginx version (cmd: `nginx -V` or `openresty -V`): 1.19.3.1
   * etcd version, if have (cmd: run `curl http://127.0.0.1:9090/v1/server_info` to get the info from server-info API): 3.4
   * apisix-dashboard version, if have: 没安装dassboard
   * luarocks version, if the issue is about installation (cmd: `luarocks --version`): 2.3.0
   
   ### Minimal test code / Steps to reproduce the issue
   
   Bug report without steps to reproduce will be ignored or closed.
   
   1. apisix 报错信息
   ![图片](https://user-images.githubusercontent.com/54012788/120970137-9c3d7b80-c79d-11eb-8bd1-018444689bbf.png)
   
   2. etcd配置
   ![图片](https://user-images.githubusercontent.com/54012788/120970054-7e701680-c79d-11eb-8965-4f3ecbd7911b.png)
   
   3.apisix 配置
   ![图片](https://user-images.githubusercontent.com/54012788/120970390-f4747d80-c79d-11eb-8e33-0157d59b5820.png)
   
   ![图片](https://user-images.githubusercontent.com/54012788/120970345-e45c9e00-c79d-11eb-9eae-2e99ac5bbbb4.png)
   
   4.证书
   ![图片](https://user-images.githubusercontent.com/54012788/120970475-11a94c00-c79e-11eb-8afc-669136aead68.png)
   
   
   ### What's the actual result? (including assertion message & call stack if applicable)
   
   ### What's the expected result?
   希望可以正常链接到etcd。
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] gzhsnail commented on issue #4384: bug: apisix 链接 etcd, 提示证书认证失败

Posted by GitBox <gi...@apache.org>.
gzhsnail commented on issue #4384:
URL: https://github.com/apache/apisix/issues/4384#issuecomment-856382035


   @tokers 我没明白您的意思,我的apisix 使用的 openresty 并且是根据 https://apisix.apache.org/zh/docs/apisix/how-to-build/ 重新编译过的。


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tzssangglass commented on issue #4384: bug: apisix 链接 etcd, 提示证书认证失败

Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #4384:
URL: https://github.com/apache/apisix/issues/4384#issuecomment-856095394


   I'll add an example of mTLS authentication with apisix and etcd later.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tokers commented on issue #4384: bug: apisix 链接 etcd, 提示证书认证失败

Posted by GitBox <gi...@apache.org>.
tokers commented on issue #4384:
URL: https://github.com/apache/apisix/issues/4384#issuecomment-856358021


   @gzhsnail From the environment information that you pasted, you don't use OpenResty for APISIX, so you cannot use mTLS.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] gzhsnail commented on issue #4384: bug: apisix 链接 etcd, 提示证书认证失败

Posted by GitBox <gi...@apache.org>.
gzhsnail commented on issue #4384:
URL: https://github.com/apache/apisix/issues/4384#issuecomment-856380802


   @tzssangglass 不是使用单向认证,我需要认证证书,已保证数据传输安全。


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tzssangglass commented on issue #4384: bug: apisix 链接 etcd, 提示证书认证失败

Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #4384:
URL: https://github.com/apache/apisix/issues/4384#issuecomment-856408344


   > @tzssangglass 不是使用单向认证,我需要认证证书,已保证数据传输安全。
   
   I'm having some problems, I'll check this when I fix this.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tzssangglass commented on issue #4384: bug: apisix 链接 etcd, 提示证书认证失败

Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #4384:
URL: https://github.com/apache/apisix/issues/4384#issuecomment-856095255


   hi, let's start with a question, do you want to use tls to connect to etcd? This means that this is a one-way authentication, etcd will verify that apisix is communicating with etcd using tls, but apisix will not verify the credentials of etcd.
   
   n this case, the example configuration of etcd
   
   ```shell
   docker run -d -p 12379:12379 -p 12380:12380 \
           -e ALLOW_NONE_AUTHENTICATION=yes \
           -e ETCD_ADVERTISE_CLIENT_URLS=https://0.0.0.0:12379 \
           -e ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:12379 \
           -e ETCD_CERT_FILE=/certs/etcd.pem \
           -e ETCD_KEY_FILE=/certs/etcd.key \
           -v /usr/local/apisix/t/certs:/certs \
           bitnami/etcd:3.4.0
   ```
   
   the configuration of apisix
   
   ```yaml
   etcd:
     host:
       - "https://127.0.0.1:12379"
     tls:
       verify: false
   ```
   
   it's work well.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tokers commented on issue #4384: bug: apisix 链接 etcd, 提示证书认证失败

Posted by GitBox <gi...@apache.org>.
tokers commented on issue #4384:
URL: https://github.com/apache/apisix/issues/4384#issuecomment-857295578


   > @tokers 我没明白您的意思,我的apisix 使用的 openresty 并且是根据 https://apisix.apache.org/zh/docs/apisix/how-to-build/ 重新编译过的。
   
   OK, just ignore my message, I though you're using the official OR.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [apisix] tokers commented on issue #4384: bug: apisix 链接 etcd, 提示证书认证失败

Posted by GitBox <gi...@apache.org>.
tokers commented on issue #4384:
URL: https://github.com/apache/apisix/issues/4384#issuecomment-857296090


   @gzhsnail So have you ever tried to access ETCD by `curl` with the same client cert and key?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org