You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2022/02/23 10:43:22 UTC
[GitHub] [apisix] zhukexingkong opened a new issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
zhukexingkong opened a new issue #6429:
URL: https://github.com/apache/apisix/issues/6429
### Issue description
1. My backend service has TLS authentication enabled. I used admin API to add routes and enable TLS configuration, and found that the Client Key of APISIX Dashboard has changed:
admin API parameters:
curl http://localhost:9080/apisix/admin/routes/395051487660606160?api_key=admin -X PUT -i -d '
{
"uri": "/test/getUser",
"name": "getUser",
"methods": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH",
"HEAD",
"OPTIONS",
"CONNECT",
"TRACE"
],
"upstream": {
"nodes": [
{
"host": "127.0.0.1",
"port": 8090,
"weight": 1
}
],
"timeout": {
"connect": 6,
"send": 6,
"read": 6
},
"type": "roundrobin",
"scheme": "https",
"pass_host": "pass",
"tls": {
"client_cert": "-----BEGIN CERTIFICATE-----\nMIIDUzCCAjugAwIBAgIEEaZzijANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJD\nTjELMAkGA1UECBMCQ0QxCzAJBgNVBAcTAkNEMQ8wDQYDVQQKEwZjbGllbnQxDzAN\nBgNVBAsTBmNsaWVudDEPMA0GA1UEAxMGY2xpZW50MB4XDTIyMDIyMzA5MDcxMloX\nDTIzMDIxODA5MDcxMlowWjELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAkNEMQswCQYD\nVQQHEwJDRDEPMA0GA1UEChMGY2xpZW50MQ8wDQYDVQQLEwZjbGllbnQxDzANBgNV\nBAMTBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI7YbpKb\nJyl0jHxHyDZWyJfWwwC9witknq0ETFZeMAVPnz52iz6rBchB/z09SYsYWRaKH6JO\nnOSHKZW3vrqL4vZvQkt5EWQ+SVS5xJ1iG56Xrcmp4PQw2TwuEUUTcerX3L+0rjWY\nGZpMyeptEc77Lq1ytmEx5P6k7s5tOP7sNhJUYHW5L8x5W4zV93XzEj+We/wKjUyP\nN/X9ufnNTw3UlLJbUK2FjAJbtBWWeRbr1JkkoNtKZ9sLz39gAYQyYlIH18e7yjWu\nLNDx8/VeysOwCVMIm1xP2zqMs0812GCLKOYniSq8INsskkjp4g4a4h0G/2EXewcm\nwr9+6nOijdaeubMCAwEAAaMhMB8wHQYDVR0OBBYEFN+KLFSK+Ys6+mXUR+VFn3iG\nhKiCMA0GCSqGSIb3DQEBCwUAA4IBAQAIj0RZ6Kh4ls5pggcSAf2w9WWvOABuT1ig\nSgGMbZncBJU078ABy0XfvsUz8XZMvVJaV/o5THJFJtWgcA8SscABv+c32A9jd/4M\ncyTlc3SpGXv7OTPnkPjI
AMp2i7TNoD1f2s+ZrpyK2tJI1gxMvjjeniQsPCKy0EPe\nFeu428xyN4LE6PwiC58TgbLE9K/CNFJLrcLvcM0CdBJ+XBNW3ZxV38izWMzkaCBn\n1axcwGkerhZAsgSNr7VL14iS4xiijkNrbUoHANlLEKgaHacDwrG5uySQZDzGmFOB\n+79IF49dnrIQFpIU1jT0y88YB2Jqj1DdM9ybT559cLGQOrHFa7t0\n-----END CERTIFICATE-----",
"client_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCO2G6SmycpdIx8\nR8g2VsiX1sMAvcIrZJ6tBExWXjAFT58+dos+qwXIQf89PUmLGFkWih+iTpzkhymV\nt766i+L2b0JLeRFkPklUucSdYhuel63JqeD0MNk8LhFFE3Hq19y/tK41mBmaTMnq\nbRHO+y6tcrZhMeT+pO7ObTj+7DYSVGB1uS/MeVuM1fd18xI/lnv8Co1Mjzf1/bn5\nzU8N1JSyW1CthYwCW7QVlnkW69SZJKDbSmfbC89/YAGEMmJSB9fHu8o1rizQ8fP1\nXsrDsAlTCJtcT9s6jLNPNdhgiyjmJ4kqvCDbLJJI6eIOGuIdBv9hF3sHJsK/fupz\noo3WnrmzAgMBAAECggEAZSLl/tTtQFOtl9y264o8Ug0TWfYAgPqnwfY2GjxroYcD\nR5Vk90TdPjFEBtbauCnQAb5fsWoZeVAdaEyFNM0QL80MUiVw49mZz+wLQicRSRM5\nT3wAssPXOt2fCpo+4LhfKjhB095R2kad+2Wn4zVCkjmS2XQbHxQlpG/+l7ckfYrD\nFukiyXQhwshARuvX9X4uvssuRITqyco0Zyqfqxn3BqTOZItukYE+nuIaCigVCD8u\nA75N1plqgnj1gm/Hwiob6gAYBr4P8cyFF+Vu4LAkUfWifD7LBDgSD/IIq2vVvb5q\nQgS8In2qg3an9+nKtBmQFFeTMuEscpKY9SZQZ2iASQKBgQDGynHxhDsPkUQXmDly\nakFj2OWus6/Qb5hv2eaSAKI6GLGKb1wnROuj13cuTnxTbEsBfGGgffNE9S82eXZ1\nvWGchLqbl4rw6vNz2eLVUf2u39Pb3IUu6yWhW8lJFUzWE+jbodojP3U5pXljX7Ij\nmIwhOq7IdyB/fk32pUVIO
/p5bwKBgQC39FAOSRaBkiuvnjBygLcrvWAmkdZayDQ1\nSjeuXGh1qfTHiv0UUTcEBYM3+qsVPIR97SZlc6o+BJdErP21kHDFJ/Wq75pchZzr\nb2b6eDTwI9kW8jzCnabHwauNBLLgmkRqaTbrnwcOvzTH2KINfBNuiJ2b96wuz0HC\nltl8oiU5/QKBgE182FF2Y7c7vrkbwzjQJlEPWOhyblPnTBo9a9z5lkLjIUF/CwLb\noKaq9G/+dAPosIwRudRfhBYbJJ4tVnmqqoPiUQMZXTVvwBomkn7oiORDp0eKe/e/\n/VkaeCmeveasuBX0zxzyPXWNBPYxdTTe37CMOVk25loMF8POxGTVzFrNAoGADR9F\ncq9uBpIpwZ5UMGbUKi+ZI0c19kXfy4lezXZUEUitaGqWwRNGDGhkQuMDv0EQ5na7\nTXNhyojDTafVdVU3ZikCkk4DQeRaHEVXIDjg9dxoyQVAplVep1M+bJHQPMtkY/7b\nZxVyCHBFUJg4fyPBsxnVvGF/i9tHAp2GKCjc5PUCgYEAuN3t+saLpOXqyJp+RV7f\nA0ISr3R8o+LYSc54arYCeuUXqBO8Qr43TRZHeWSQdnzyNrwngQsbBqzj9f02TJ20\nr2JMqfY3XUN7jiZKf1RaEDhyYRSh3K6xCUrXg4ydJbqGYfVt8W27GLfJuOTuL6Lm\nigLTHWPY9lZb5lOz26LnZPI=\n-----END PRIVATE KEY-----"
},
"keepalive_pool": {
"idle_timeout": 60,
"requests": 1000,
"size": 320
}
},
"status": 1
}'
APISIX dashbord Client Key:
YnwwDKc5vNzo0OU4StTRQbwgCnTZ3dmYiBFm8aGnvTwxKvJJ1WgSomNREpjNtjohs1L21CS1IT5LT8yk+6RKOkyG5eN5BnHp9qMm5g1GPZEq/uH40PW3qEDX70xQ+4I04YOmHNFv/O3u0y2kiT5xN/Ge+1RD1c/+HJiQWvpJRaDrKz6qONMyF3Fqw9wj2v6qSuWx3K5MevdYiUYsHwibclWncP1eV9UqICC6GBGk0WLR2Cyq8T/d0kzWbFCSjSCaHO+RRwMMs7sugvRhl1ozUgcbKjDnyiH0t606ToPcvS4LcfkhrCcPvCho0leWOGYfmpsdqwv0jph58/7SDLOEy0dNRPzyVZxgA0+k6ZxyE7I8Hmbc4C4hWLzJPmzlNtKpoBQw2ALnBaHhNDDG2G/9+jGOFRnu+PBMT6uaMPA2V9xi3v6PZPieYlCOxbEfRbPwVhb/oqqBeuM5KII6CHCGfiYQFrtGnjTbN6pexXfvVs/ctZaTEAqDftf44dpW3TMUSU8O6PcDVc194vPvuigy1z/7rKtJ2+h2kvI/XY0ZTLu20KhldbvDc6qgHUUFnT7NK1nYhfqjwm9J7Y3vG4GVFhUg6KrvOInRfqm1fVWlqPQuHIEPE+Zi6Exi7XO1r4Ff0yhtwYhRew3M1Ch143GOQQDQ8ent3SJZ21pUGzImjMAiA0SNng81+uSB+KATUQk1Sjgo3iUyMtzu+v3cWRhh2v3QMt9b0/FvF2GwpkLZ3CPoa2+4Rfd5Y2Vov9/vfSh4GqXR0+j6lIkFg/yg9o5wkxDSJnEGFOBt2cqXI/T+UOll1VGMinOBmdnM9w+q5wXcowJ/N5D1HzRJRajp0C7Z/FmGZuqaUwChDBRz4r+/94tg5gVea9yjOFjm0DzT4ur7GsAQke1JhksfKsZvsa+pWAYD/+eyXN5eIn+JLnZZiuLM4kdWKxQ5FE3OSKo/QzWVn9vOWNH4UI8LF9Jh6WoZuDJP7cWyiqnQrrK
tTKruhSQdFrCeKWdtMdCdKfNwYdyqHz2Yr/LznFfG5CiZjEv+7mFqdKZzqGCW4MvVTRUiUPqCpeh7TUSRSzC/ujo+o1eMzF8Zq9Hhf2+OMMhVQV5oo1LRu89jjQNWSFUerKfVAp5JINUJGmHe2pkyI2ZoSfj4Cs+WeC9N1qU4OZGmvPcvJNl4JpHHML1l4FRIxfQmQ4FWpmePWvjK55IuwCx4/Wr05CZycMK9kIon1nRaLonYdk57UB2D0ridALR2zE8IIxobd/EotEBbDviOMQWCRDBvMwN0A6FMRFHLITfvA17dhS2jmvToP4Fj/EWNomAiV4rlqr0N34T4WkTYeJZOcixvx7oPvbVIGM6KGp3mVdTCrO8hpvKCc6hLnWPDGZA6/g1AzC/7YEaUC2TzLCf/90/z+QSTvkf9sdQpsH6m2gz1iDvuGG2/YRnJrF7LJoKQF9s3y8e/u2K37yQGeJLy9VTZirdcNrx0nqnjI1LxzRWeAg2nOe1eDb4VmPExNBCyg01NuP6DQ7c7wDT8wYJc3dFoGA35TCuUrlc4FU09tyoixEyPTgWYPn6qXT/a/8WEmTLeYnmvvNQZ0dsfSaN24oCVOvXWSPBLUItfuvzoyMZScNKX3j8SIPzT7u41oS6zQ1q1/CHbWY/rU+ZcUGrFTRcfipVGwuWh0Pznir3zuSEIifdz/dqaajchTClSJ978pSw/TiAzCYbzDo+eRyDbfPDHqNRiPQukiqjZyZeu5apSCqKaC5A+GD+lx8ycf7it3rxF43A3VvC5MpBNwSa+bNuT3iB0b3d1kYCp64xYap9zkTb28Km/x2M942jSyLIFNtCNsVNZ3J/ABWjW92aNvhqKi0l1acRQhtlXN7kXWulBXzYHCAeSDVEyGljK53Qf18wUSNPIgzSURpOqdDraUSLY5V/PW4Gy1xd/2dNYLdVUGje+grALXUVG+ucw8mxzJapmSwPR81qRIPanpPkSIyghcOtsV4Gn
AxKOIFVxk44LChDU13Jt4PgD5yw71xnHczOC1T4vwdzLxaPv+XRlrr0OpF+IVaWjigOOv6S+XoWCHAkHfw/jpmqAz32ArajL4mc07QkvEFdieRN5E+NRdn670lKibJCTvsAT4OloOMw6WA+oxXUz3w0iOJUC5GqzaXICaN4vFDkQfpG8lHfnpW0icf5+/OM8JnFOJaSOpZ1tIfAYXG9OjL4cOrrIOzkpqM52GOr9enUEjPDWHAhmt90MbTrIMIvUwfoiOA5CLrrzK+SG9BnPAFPKdE7IK5L+Kf0=
2. When I modify the correct Client Key in APISIX DashBoar, I can access the interface through APISIX, but an error occurs:
<!DOCTYPE html>
<html>
<head>
<meta content="text/html;charset=utf-8" http-equiv="Content-Type">
<meta content="utf-8" http-equiv="encoding">
<title>500 Internal Server Error</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>An error occurred.</h1>
<p>You can report issue to <a href="https://github.com/apache/apisix/issues">APISIX</a></p>
<p><em>Faithfully yours, <a href="https://apisix.apache.org/">APISIX</a>.</em></p>
</body>
</html>
### Environment
- apisix version (cmd: `apisix version`): 2.12.1
- OS (cmd: `uname -a`): centos7
- OpenResty / Nginx version (cmd: `nginx -V` or `openresty -V`):
- etcd version, if have (cmd: run `curl http://127.0.0.1:9090/v1/server_info` to get the info from server-info API):
- apisix-dashboard version, if have:
- the plugin runner version, if the issue is about a plugin runner (cmd: depended on the kind of runner):
- luarocks version, if the issue is about installation (cmd: `luarocks --version`):
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong edited a comment on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong edited a comment on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1057615774
> > > > @tokers It is mTLS Between APISIX and Upstream, how do I config config.yaml? And I refer to the official document to use patch_upstream_mtls.py, and the error is as follows : Refer: https://apisix.apache.org/docs/apisix/mtls/#mtls-between-apisix-and-upstream
> > > > 404 {"message":"Key not found"}
> > >
> > >
> > > You can check out this: https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L147.
> >
> >
> > The problem was solved. Now it is: [root@2d8f65f7ad67 tlsDir]# python ./patch_upstream_mtls.py 396932008539849406 ./client.pem ./client.key 400 {"error_msg":"failed to decrypt previous encrypted key"}
>
> How did you solve it? Could you share your solution?
It's the upstream is not exist, just create an upstream in the APISIX Dashboard and get its ID, It's an oversight on my part. I'm sorry.
And openrestry failed to install on ubuntu using yum, so I tested it directly on centos7.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong edited a comment on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong edited a comment on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1057625905
> I reproduced. You should delete the first paragraph of the client.key. like this:
>
> ```
> Bag Attributes
> friendlyName: client
> localKeyID: 54 69 6D 65 20 31 36 34 36 31 31 38 36 33 35 38 32 31
> Key Attributes: <No Attributes>
> ```
>
> And then, upload the file.
After I modifed the client.key, this is the result, the question is back to square one, the returned client key is inconsistent with the client.key:
[root@2d8f65f7ad67 tlsDir]# python ./patch_upstream_mtls.py 396932008539849406 ./client.crt ./client.key
201
{"node":{"key":"\/apisix\/upstreams\/396932008539849406","value":{"service_name":"resource-service","hash_on":"vars","type":"roundrobin","update_time":1646277329,"keepalive_pool":{"idle_timeout":60,"requests":1000,"size":320},"pass_host":"pass","scheme":"https","name":"TLSU","timeout":{"send":6,"read":6,"connect":6},"id":"396932008539849406","discovery_type":"nacos","tls":{"client_key":"YnwwDKc5vNzo0OU4StTRQbwgCnTZ3dmYiBFm8aGnvTwyAh+Rz4EWXpJif7colyUhItBIvm962vfX5Me9G9WPJ7iM6UZHWEQx+9ZRQzJHIW8bk4p6790cHQXWM7KhuL2tThtkkjnPSC1ZSOHHZOuIu6cQoXSHc6QxmLnLHluRiZxEhpYbqLhFYDBOoO\/0pwcveMNS71Ccf7YVKIfcNtlFX9HYY+5ORcMAAdaZpEyNci1xjWFI7nJK3UvUy+Nv\/fJI0pDX14Vfy1NeSEsnGIp1pBq+hRhkEvnkEoY7+du94Gh7brlWCBFGnp64PD6iMzwuLJWr29V8n\/7OFkkzLyZzvPEQIrP490C37qcguSelFSMBP\/uwBCYdZnh5sIRloBqdMyTZuzvHOLbP6lKOF8EzrNmYlQbjLwvzTD1dlu1K4164xH0fhhrFF9RGq4NlKyepngu0XsAsVLGGp7MOzIGoa4PrDVLCU67QNrxmBvogQUFZP7Z4t2kab+gQcqEI8SYjY+ILmvbVv\/EEkS2QWAh\/ogwouylpHcfTAjvTYC1C1yMXRFDGeBWmmgohVmOlL3Tup\/mDaegV9LV6GFDa3\/Or\
/Q0sZNR45+Obc5dLmS97wLLvsxcgFQU8OKrr\/1mZNefvMIm\/f7zlbm08VLGDhtWiHlIcTp468xHfY2YaDvimwDGK44qrtfe8aFD7qH\/H1e2nhIy6gbw6kWx0sfEPTSBns34Jhm1cz+Nmu22cIQ2U2N+AnoFEz7E4w0yovi+du+ajLNHqgZjU75e0dCRYN6Zx0D6AxI4L2qO6+HdvhlPDjDhIwcmFAlxZKp+pQWEPIkHJxa5mQ9pGlQ\/SdvWUCTY0bLUk+93Qkzy6JbY0qfpt34CE9\/bJcZC6lY\/ln3L\/JUW2hj2cGUc7MNwy2RscwH71z6fscpXGPAdX6WI9chuCGEZWXGDf58oWPoUmEqn4kZBfEBUkjjg7mjvlXqSTQGFciBlWX\/d6\/dKDCEN5sN0jy5A96uDgDsle6sttsDwptyZShWPi+Fj9\/JXGSPflp42GU0igLNxnGy855XT5cJlyWQUtFUHA7bmKiyrbR1hFkNOxploZK+bt0fJYxlShQaHnusxOFuOpjvDxSSBq\/+7ktmCxp57p4BdzcYTsIKUWFfc3IslJWv5MaHJVaWjJ8LDIc+KA+bhzzRhtJUAora9CHr2k0tRB0m9MfzT+gyOBGSxTiHjaUyQR5D0ulTc4BoESn0vXg95XHljc2RA13l7doIsJD19to5s8YdxuzpqJNHQNPvYEuOtkfM0S5LkslpAxIyEFQWiTHeDOwR6WwKaTVDtZI8sSPDaa8xWcUrSo1kl1Hu2iWNad\/P8cQ\/11cdJ1zlkpAJ8JH6xeeo3uC8rMwoctini30PwdABHnu9lWh+WZ6bSXDIUc3c3qJpeeSztnTh4CU+ZzliwNCiQ6DLqK2M8Uy6x8HFeQ2cODvE7iqOdhwDInRPvY+8OSi3gTP2KIBOoGNkXmQqgWd65R8yAi004j3Sgt37SujmOSdcvtE4MtPWrAg2xvXq3lna0W+gREGOEYmS7uwqm7rmnoLc7\/KLC
DsNWdt+\/HqSScMPHlbg+drrsOF+QJ3SQWMxB8mB4Jt1K1C0S43RKuVAhU96V16wd\/bCamxDvd6Mx7M4WxM2SLGnHqjMyFcC5mElD3Aa9\/CZ+TEfgNmdyIT2EMSpuucIQriIppN7NMcsQddchiB1l4Mqe4kweQVk21XwG\/eLKcdWFtrZ4Kbcwpt4wjESbBBUgQLwVITVr+2MiSAwMRVkRdxJvTlhdy8Ot6Utv4obRY5WseZCFFg9lm\/uj4gw79H9dvg6B1vu5i4NFYYXKfYZ0kyQ3bMHaSmUHUx2UfysZdf5mxa04v4LhNYjaHhjd3mO7dKAwcwt\/UvHU76umTbLVB9jZmFSkS+PFDg4vBFK+f6hK8FXmtD\/QCVABQaFfUX0GBpatr43lIf0drisIIYfu7Oj1sFFRgUJWVqNxznQKQZY9u4M\/32q4dCEGz8bP4bbDGe8+iNOuKSPq2VcpTpxNzdZdyAHYdYCzFGoVmMBjw0q\/vcRHZStP6BeAC0Tv2ucZtHTKSf3mMpT5t9jbYPBPaUDhS+R41i4etN2VFh6ovoj+2WPrMJ0jygxREaaeudwgoGrvWeR6FxB78SXhhCBk8hN5YdRAaAZtsDKg6iL2G52TeIvuykeNMlbqd4ITUYT0T0fBNbgYeE96l7ZKyH0P4xWjxJPTug3elCVOnm7g1UM0hKygxZJpilNs3FfBGnQ0=","client_cert":"Bag Attributes\n friendlyName: client\n localKeyID: 54 69 6D 65 20 31 36 34 36 31 31 38 36 33 35 38 32 31 \nsubject=\/C=CN\/ST=CD\/L=CD\/O=client\/OU=client\/CN=client\nissuer=\/C=CN\/ST=CD\/L=CD\/O=client\/OU=client\/CN=client\n-----BEGIN CERTIFICATE-----\nMI
IDUzCCAjugAwIBAgIEE5RMajANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJD\nTjELMAkGA1UECBMCQ0QxCzAJBgNVBAcTAkNEMQ8wDQYDVQQKEwZjbGllbnQxDzAN\nBgNVBAsTBmNsaWVudDEPMA0GA1UEAxMGY2xpZW50MB4XDTIyMDMwMTA3MTAzNVoX\nDTIzMDIyNDA3MTAzNVowWjELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAkNEMQswCQYD\nVQQHEwJDRDEPMA0GA1UEChMGY2xpZW50MQ8wDQYDVQQLEwZjbGllbnQxDzANBgNV\nBAMTBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIEGlxi0\nvFrEUFJQTiqiJNQUuj0RJ2y0NJB7tVSXjG6ujBygucAO9B1rUL5NJ1lx8Uz\/DIwH\nLogb4QfNoV5i+AltvIESs60EB818KKBFgdsNUlXGDc3Jq7Z3B30OMOc1es6WSrDJ\nODQwl6iyD+kNjsUuVciDv9K\/36gqAMFMKQEULegV3Wzb3F9hJ92p6SAwG7+HqszT\nc0amEbCr9NRBAykVj7dvly4dTaLnkLkvQ66d38d9+n2k4KdLwtkTe\/gNnE98Ppdy\neJdgz3b3cg7rNYjpsU6jDbP8RwgUnFV9VjpEqvmb+XL7c1jaBtYOwIeGQedmBMx0\nnSNTv1\/XwGuHLCECAwEAAaMhMB8wHQYDVR0OBBYEFOu6GZvXCzoq06KrSD6nrh4n\nAVf5MA0GCSqGSIb3DQEBCwUAA4IBAQAOfBB3szjT6mTWjVkWVTi1Ul34lcGspIDH\ni0ZmeZJyD+zA0NOAPVUFhHjq0tw8Ns19L4OD+yRyZB+k\/8QIROoDG0RjOrFzP7oE\nMl0d3A08ot4qmnVcd7L0eab1QxGP1PPHm1a7F51gUoCPEYdNVOPmTFgfbE6i\/4Gh\n0oB
8\/6ZFB9t2QAWrmfzjyM\/CEx3j53h4hcOYiqp7sw7zXPKuYJTpLXj4aZ8mVLF7\nwXuu+I3UQvAOJjssDJ05+WEFerDNlOLryV3QVrVDQW7hYfnmguVc59Fd1OKPirP3\noZ3fyrYEQQN0XOoPT1L+CYPNjY+h9lvGF4QHUr654diXtCFOh8gy\n-----END CERTIFICATE-----\n"},"discovery_args":{"namespace_id":"test","group_name":"test_group"},"create_time":1646119513}},"action":"compareAndSwap"}
[root@2d8f65f7ad67 tlsDir]# cat client.key
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCBBpcYtLxaxFBS
UE4qoiTUFLo9ESdstDSQe7VUl4xurowcoLnADvQda1C+TSdZcfFM/wyMBy6IG+EH
zaFeYvgJbbyBErOtBAfNfCigRYHbDVJVxg3Nyau2dwd9DjDnNXrOlkqwyTg0MJeo
sg/pDY7FLlXIg7/Sv9+oKgDBTCkBFC3oFd1s29xfYSfdqekgMBu/h6rM03NGphGw
q/TUQQMpFY+3b5cuHU2i55C5L0Ound/Hffp9pOCnS8LZE3v4DZxPfD6XcniXYM92
93IO6zWI6bFOow2z/EcIFJxVfVY6RKr5m/ly+3NY2gbWDsCHhkHnZgTMdJ0jU79f
18BrhywhAgMBAAECggEAW7NFXAfH/nKb64SrqV1H83svygsRDA8fdLiXbaGv61Ie
vpH0sm1uTiJhZn8LQmTa7LAwSK0qAw5dZuBcmeqZAop9ePbDwGmm6gIeFZqQ6hCT
veZfFS0J30rFhbm6Q/kcaQsj1nWMfnsyrnCvIiHCoJ2H1lTc1noMCUag9sCcO+kL
SAUGu0KA2EtIJMWfDjXcHMKcoRC4nwysCAjMVZ0C0QlwL1VGPzdgGCLAt4E8xJyB
VA+x59rTuMPAQM0xk5mUgJlA3iwNmdu3vKlBN3iV4YlJeFmxokpe8pytOACzGsfY
akbicVY9lZaNHchLW8jkhM9ARe2gX8ndRs29alwOyQKBgQC2oHf38bAm7jaVYm4W
HP5is/ZPC0JwXb4OVR5rfHzhuDDN32Np5XniMbdQAgy9unppY89XuOdG/MQ98Ded
/Vj8zZjiKMrl8hs+P30hLs1wvwf5yDt0u8G6vLMLt4BZwNecZuByjVBA3pXAdMQn
KE4GsWkbvwiv1q1QHxqsSiV4xwKBgQC03SS++TZ7C+eHFQGnZVm+e6Q2rkoc14gF
tMMOWPqYXdeuPYrmCjQ/SeiF9Fy/f8+Ul9iX+f6OYRe19Es9OS30pyGlfYWprMtS
7qMkXRP3lVqgdxMy2ePP1joi682i4Pq4I9Ls9aXWv2hZCwyHvWaB3DFnWP6KcBDp
SS+jquBb1wKBgQCLVXjSWbpMqXhJlvRouKw5ABaPDgcdldfYNYbk+PCKgi3yFFpT
w/mu4sF6MGYqJukYGUdrJS6HEXhjzS+RwWYwUmgvPHI45/NzFZtRQtUJDSZ3oxYB
pPJUl31/Ffy9/YxCzpa1ry0ooOneEPhK68xD/P01ZxWomoBWXbTK+DMIpwKBgQCF
iZIL/u0exJdZwUTLV6V/YsLILL9DtE8WB3TNLx03SnJoj7/yQS56XBN2dAnWyoN1
bvfYnhg4/68GBS1YMtOfg5bwHVGHCbHFtbR2sNKBRqD3QXPHY+E0HzQlfH0D+aCk
PK8LjgO4HvLoa6QAxPLehrljWO33QO77j7HA4fVtWQKBgASiriIlYFcJKqs2q+OH
fKGmzxDyM4Cq5+IkmcyjwoGWgt8CZR0YaiJgPt/CMviS0KlT3Pzp/SQdsZf/MiEX
zENi+e0YeRW8+MYfKB6Jox2616oOV/SxWCWSfNE54llnmk+MMam49PtYTV3nrRPa
Yl+YJnXe14Lmg8Z22tojoXj1
-----END PRIVATE KEY-----
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1054074635
> @tokers The APISIX's error.log: 2022-02-28T10:26:57.004+0800 WARN store/store.go:154 data not found by key: 395051487660606160
>
> This is the admin API command: curl http://localhost:9080/apisix/admin/routes/395051487660606160?api_key=admin -X PUT -i -d ' { "uri": "/test/getUser", "name": "getUser", "methods": [ "GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS", "CONNECT", "TRACE" ], "upstream": { "nodes": [ { "host": "127.0.0.1", "port": 8090, "weight": 1 } ], "timeout": { "connect": 6, "send": 6, "read": 6 }, "type": "roundrobin", "scheme": "https", "pass_host": "pass", "tls": { "client_cert": "-----BEGIN CERTIFICATE-----\nMIIDUzCCAjugAwIBAgIEEaZzijANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJD\nTjELMAkGA1UECBMCQ0QxCzAJBgNVBAcTAkNEMQ8wDQYDVQQKEwZjbGllbnQxDzAN\nBgNVBAsTBmNsaWVudDEPMA0GA1UEAxMGY2xpZW50MB4XDTIyMDIyMzA5MDcxMloX\nDTIzMDIxODA5MDcxMlowWjELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAkNEMQswCQYD\nVQQHEwJDRDEPMA0GA1UEChMGY2xpZW50MQ8wDQYDVQQLEwZjbGllbnQxDzANBgNV\nBAMTBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI7YbpKb\nJyl0jHxHyDZWyJfWwwC9witknq0ETFZeMAVPnz52iz6rBchB/z09SYsYWRaKH6JO\nnOSHKZW3vrqL4vZvQkt
5EWQ+SVS5xJ1iG56Xrcmp4PQw2TwuEUUTcerX3L+0rjWY\nGZpMyeptEc77Lq1ytmEx5P6k7s5tOP7sNhJUYHW5L8x5W4zV93XzEj+We/wKjUyP\nN/X9ufnNTw3UlLJbUK2FjAJbtBWWeRbr1JkkoNtKZ9sLz39gAYQyYlIH18e7yjWu\nLNDx8/VeysOwCVMIm1xP2zqMs0812GCLKOYniSq8INsskkjp4g4a4h0G/2EXewcm\nwr9+6nOijdaeubMCAwEAAaMhMB8wHQYDVR0OBBYEFN+KLFSK+Ys6+mXUR+VFn3iG\nhKiCMA0GCSqGSIb3DQEBCwUAA4IBAQAIj0RZ6Kh4ls5pggcSAf2w9WWvOABuT1ig\nSgGMbZncBJU078ABy0XfvsUz8XZMvVJaV/o5THJFJtWgcA8SscABv+c32A9jd/4M\ncyTlc3SpGXv7OTPnkPjIAMp2i7TNoD1f2s+ZrpyK2tJI1gxMvjjeniQsPCKy0EPe\nFeu428xyN4LE6PwiC58TgbLE9K/CNFJLrcLvcM0CdBJ+XBNW3ZxV38izWMzkaCBn\n1axcwGkerhZAsgSNr7VL14iS4xiijkNrbUoHANlLEKgaHacDwrG5uySQZDzGmFOB\n+79IF49dnrIQFpIU1jT0y88YB2Jqj1DdM9ybT559cLGQOrHFa7t0\n-----END CERTIFICATE-----", "client_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCO2G6SmycpdIx8\nR8g2VsiX1sMAvcIrZJ6tBExWXjAFT58+dos+qwXIQf89PUmLGFkWih+iTpzkhymV\nt766i+L2b0JLeRFkPklUucSdYhuel63JqeD0MNk8LhFFE3Hq19y/tK41mBmaTMnq\nbRHO+y6tcrZhMeT+pO7ObTj+7DYSVGB1
uS/MeVuM1fd18xI/lnv8Co1Mjzf1/bn5\nzU8N1JSyW1CthYwCW7QVlnkW69SZJKDbSmfbC89/YAGEMmJSB9fHu8o1rizQ8fP1\nXsrDsAlTCJtcT9s6jLNPNdhgiyjmJ4kqvCDbLJJI6eIOGuIdBv9hF3sHJsK/fupz\noo3WnrmzAgMBAAECggEAZSLl/tTtQFOtl9y264o8Ug0TWfYAgPqnwfY2GjxroYcD\nR5Vk90TdPjFEBtbauCnQAb5fsWoZeVAdaEyFNM0QL80MUiVw49mZz+wLQicRSRM5\nT3wAssPXOt2fCpo+4LhfKjhB095R2kad+2Wn4zVCkjmS2XQbHxQlpG/+l7ckfYrD\nFukiyXQhwshARuvX9X4uvssuRITqyco0Zyqfqxn3BqTOZItukYE+nuIaCigVCD8u\nA75N1plqgnj1gm/Hwiob6gAYBr4P8cyFF+Vu4LAkUfWifD7LBDgSD/IIq2vVvb5q\nQgS8In2qg3an9+nKtBmQFFeTMuEscpKY9SZQZ2iASQKBgQDGynHxhDsPkUQXmDly\nakFj2OWus6/Qb5hv2eaSAKI6GLGKb1wnROuj13cuTnxTbEsBfGGgffNE9S82eXZ1\nvWGchLqbl4rw6vNz2eLVUf2u39Pb3IUu6yWhW8lJFUzWE+jbodojP3U5pXljX7Ij\nmIwhOq7IdyB/fk32pUVIO/p5bwKBgQC39FAOSRaBkiuvnjBygLcrvWAmkdZayDQ1\nSjeuXGh1qfTHiv0UUTcEBYM3+qsVPIR97SZlc6o+BJdErP21kHDFJ/Wq75pchZzr\nb2b6eDTwI9kW8jzCnabHwauNBLLgmkRqaTbrnwcOvzTH2KINfBNuiJ2b96wuz0HC\nltl8oiU5/QKBgE182FF2Y7c7vrkbwzjQJlEPWOhyblPnTBo9a9z5lkLjIUF/CwLb\noKaq9G/+dAPosIwRudRfhBYbJJ4tVnmqqoPiUQM
ZXTVvwBomkn7oiORDp0eKe/e/\n/VkaeCmeveasuBX0zxzyPXWNBPYxdTTe37CMOVk25loMF8POxGTVzFrNAoGADR9F\ncq9uBpIpwZ5UMGbUKi+ZI0c19kXfy4lezXZUEUitaGqWwRNGDGhkQuMDv0EQ5na7\nTXNhyojDTafVdVU3ZikCkk4DQeRaHEVXIDjg9dxoyQVAplVep1M+bJHQPMtkY/7b\nZxVyCHBFUJg4fyPBsxnVvGF/i9tHAp2GKCjc5PUCgYEAuN3t+saLpOXqyJp+RV7f\nA0ISr3R8o+LYSc54arYCeuUXqBO8Qr43TRZHeWSQdnzyNrwngQsbBqzj9f02TJ20\nr2JMqfY3XUN7jiZKf1RaEDhyYRSh3K6xCUrXg4ydJbqGYfVt8W27GLfJuOTuL6Lm\nigLTHWPY9lZb5lOz26LnZPI=\n-----END PRIVATE KEY-----" }, "keepalive_pool": { "idle_timeout": 60, "requests": 1000, "size": 320 } }, "status": 1 }'
>
> And this is the respose, note that the client_key returned is different from the client_key entered: HTTP/1.1 200 OK Date: Mon, 28 Feb 2022 02:24:23 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: keep-alive Server: APISIX/2.12.1 Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true Access-Control-Expose-Headers: * Access-Control-Max-Age: 3600 { "action": "set", "node": { "key": "/apisix/routes/395051487660606160", "value": { "priority": 0, "upstream": { "pass_host": "pass", "scheme": "https", "timeout": { "connect": 6, "read": 6, "send": 6 }, "tls": { "client_key": "YnwwDKc5vNzo0OU4StTRQbwgCnTZ3dmYiBFm8aGnvTwxKvJJ1WgSomNREpjNtjohs1L21CS1IT5LT8yk+6RKOkyG5eN5BnHp9qMm5g1GPZEq/uH40PW3qEDX70xQ+4I04YOmHNFv/O3u0y2kiT5xN/Ge+1RD1c/+HJiQWvpJRaDrKz6qONMyF3Fqw9wj2v6qSuWx3K5MevdYiUYsHwibclWncP1eV9UqICC6GBGk0WLR2Cyq8T/d0kzWbFCSjSCaHO+RRwMMs7sugvRhl1ozUgcbKjDnyiH0t606ToPcvS4LcfkhrCcPvCho0leWOGYfmpsdqwv0jph58/7SDLOEy0dNRPzyVZxgA0+k6ZxyE7I8Hmbc4C4hWLzJP
mzlNtKpoBQw2ALnBaHhNDDG2G/9+jGOFRnu+PBMT6uaMPA2V9xi3v6PZPieYlCOxbEfRbPwVhb/oqqBeuM5KII6CHCGfiYQFrtGnjTbN6pexXfvVs/ctZaTEAqDftf44dpW3TMUSU8O6PcDVc194vPvuigy1z/7rKtJ2+h2kvI/XY0ZTLu20KhldbvDc6qgHUUFnT7NK1nYhfqjwm9J7Y3vG4GVFhUg6KrvOInRfqm1fVWlqPQuHIEPE+Zi6Exi7XO1r4Ff0yhtwYhRew3M1Ch143GOQQDQ8ent3SJZ21pUGzImjMAiA0SNng81+uSB+KATUQk1Sjgo3iUyMtzu+v3cWRhh2v3QMt9b0/FvF2GwpkLZ3CPoa2+4Rfd5Y2Vov9/vfSh4GqXR0+j6lIkFg/yg9o5wkxDSJnEGFOBt2cqXI/T+UOll1VGMinOBmdnM9w+q5wXcowJ/N5D1HzRJRajp0C7Z/FmGZuqaUwChDBRz4r+/94tg5gVea9yjOFjm0DzT4ur7GsAQke1JhksfKsZvsa+pWAYD/+eyXN5eIn+JLnZZiuLM4kdWKxQ5FE3OSKo/QzWVn9vOWNH4UI8LF9Jh6WoZuDJP7cWyiqnQrrKtTKruhSQdFrCeKWdtMdCdKfNwYdyqHz2Yr/LznFfG5CiZjEv+7mFqdKZzqGCW4MvVTRUiUPqCpeh7TUSRSzC/ujo+o1eMzF8Zq9Hhf2+OMMhVQV5oo1LRu89jjQNWSFUerKfVAp5JINUJGmHe2pkyI2ZoSfj4Cs+WeC9N1qU4OZGmvPcvJNl4JpHHML1l4FRIxfQmQ4FWpmePWvjK55IuwCx4/Wr05CZycMK9kIon1nRaLonYdk57UB2D0ridALR2zE8IIxobd/EotEBbDviOMQWCRDBvMwN0A6FMRFHLITfvA17dhS2jmvToP4Fj/EWNomAiV4rlqr0N34T4WkTYeJZOcixvx7oPvbVIGM6KGp3mVdTCrO8hpvKCc6
hLnWPDGZA6/g1AzC/7YEaUC2TzLCf/90/z+QSTvkf9sdQpsH6m2gz1iDvuGG2/YRnJrF7LJoKQF9s3y8e/u2K37yQGeJLy9VTZirdcNrx0nqnjI1LxzRWeAg2nOe1eDb4VmPExNBCyg01NuP6DQ7c7wDT8wYJc3dFoGA35TCuUrlc4FU09tyoixEyPTgWYPn6qXT/a/8WEmTLeYnmvvNQZ0dsfSaN24oCVOvXWSPBLUItfuvzoyMZScNKX3j8SIPzT7u41oS6zQ1q1/CHbWY/rU+ZcUGrFTRcfipVGwuWh0Pznir3zuSEIifdz/dqaajchTClSJ978pSw/TiAzCYbzDo+eRyDbfPDHqNRiPQukiqjZyZeu5apSCqKaC5A+GD+lx8ycf7it3rxF43A3VvC5MpBNwSa+bNuT3iB0b3d1kYCp64xYap9zkTb28Km/x2M942jSyLIFNtCNsVNZ3J/ABWjW92aNvhqKi0l1acRQhtlXN7kXWulBXzYHCAeSDVEyGljK53Qf18wUSNPIgzSURpOqdDraUSLY5V/PW4Gy1xd/2dNYLdVUGje+grALXUVG+ucw8mxzJapmSwPR81qRIPanpPkSIyghcOtsV4GnAxKOIFVxk44LChDU13Jt4PgD5yw71xnHczOC1T4vwdzLxaPv+XRlrr0OpF+IVaWjigOOv6S+XoWCHAkHfw/jpmqAz32ArajL4mc07QkvEFdieRN5E+NRdn670lKibJCTvsAT4OloOMw6WA+oxXUz3w0iOJUC5GqzaXICaN4vFDkQfpG8lHfnpW0icf5+/OM8JnFOJaSOpZ1tIfAYXG9OjL4cOrrIOzkpqM52GOr9enUEjPDWHAhmt90MbTrIMIvUwfoiOA5CLrrzK+SG9BnPAFPKdE7IK5L+Kf0=", "client_cert": "-----BEGIN CERTIFICATE-----\nMIIDUzCCAjugAwIBAgIEEaZzijANBgkqhkiG9w0
BAQsFADBaMQswCQYDVQQGEwJD\nTjELMAkGA1UECBMCQ0QxCzAJBgNVBAcTAkNEMQ8wDQYDVQQKEwZjbGllbnQxDzAN\nBgNVBAsTBmNsaWVudDEPMA0GA1UEAxMGY2xpZW50MB4XDTIyMDIyMzA5MDcxMloX\nDTIzMDIxODA5MDcxMlowWjELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAkNEMQswCQYD\nVQQHEwJDRDEPMA0GA1UEChMGY2xpZW50MQ8wDQYDVQQLEwZjbGllbnQxDzANBgNV\nBAMTBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI7YbpKb\nJyl0jHxHyDZWyJfWwwC9witknq0ETFZeMAVPnz52iz6rBchB/z09SYsYWRaKH6JO\nnOSHKZW3vrqL4vZvQkt5EWQ+SVS5xJ1iG56Xrcmp4PQw2TwuEUUTcerX3L+0rjWY\nGZpMyeptEc77Lq1ytmEx5P6k7s5tOP7sNhJUYHW5L8x5W4zV93XzEj+We/wKjUyP\nN/X9ufnNTw3UlLJbUK2FjAJbtBWWeRbr1JkkoNtKZ9sLz39gAYQyYlIH18e7yjWu\nLNDx8/VeysOwCVMIm1xP2zqMs0812GCLKOYniSq8INsskkjp4g4a4h0G/2EXewcm\nwr9+6nOijdaeubMCAwEAAaMhMB8wHQYDVR0OBBYEFN+KLFSK+Ys6+mXUR+VFn3iG\nhKiCMA0GCSqGSIb3DQEBCwUAA4IBAQAIj0RZ6Kh4ls5pggcSAf2w9WWvOABuT1ig\nSgGMbZncBJU078ABy0XfvsUz8XZMvVJaV/o5THJFJtWgcA8SscABv+c32A9jd/4M\ncyTlc3SpGXv7OTPnkPjIAMp2i7TNoD1f2s+ZrpyK2tJI1gxMvjjeniQsPCKy0EPe\nFeu428xyN4LE6PwiC58TgbLE9K/CNFJLrcLvcM0CdBJ+XB
NW3ZxV38izWMzkaCBn\n1axcwGkerhZAsgSNr7VL14iS4xiijkNrbUoHANlLEKgaHacDwrG5uySQZDzGmFOB\n+79IF49dnrIQFpIU1jT0y88YB2Jqj1DdM9ybT559cLGQOrHFa7t0\n-----END CERTIFICATE-----" }, "type": "roundrobin", "keepalive_pool": { "requests": 1000, "size": 320, "idle_timeout": 60 }, "hash_on": "vars", "nodes": [{ "host": "127.0.0.1", "priority": 0, "weight": 1, "port": 8090 }] }, "methods": ["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS", "CONNECT", "TRACE"], "name": "getUser", "update_time": 1646015063, "id": "395051487660606160", "uri": "/test/getUser", "create_time": 1645667677, "status": 1 } } }
Did you enable the ssl key encryption feature? You can check your config.yaml file.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1055274630
> @tokers It is mTLS Between APISIX and Upstream, how do I config config.yaml? And I refer to the official document to use patch_upstream_mtls.py, and the error is as follows : Refer: https://apisix.apache.org/docs/apisix/mtls/#mtls-between-apisix-and-upstream
>
> 404 {"message":"Key not found"}
You can check out this: https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L147.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong edited a comment on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong edited a comment on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1056339252
> > @tokers It is mTLS Between APISIX and Upstream, how do I config config.yaml? And I refer to the official document to use patch_upstream_mtls.py, and the error is as follows : Refer: https://apisix.apache.org/docs/apisix/mtls/#mtls-between-apisix-and-upstream
> > 404 {"message":"Key not found"}
>
> You can check out this: https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L147.
The problem was solved. Now it is:
[root@2d8f65f7ad67 tlsDir]# python ./patch_upstream_mtls.py 396932008539849406 ./client.pem./client.key
400
{"error_msg":"failed to decrypt previous encrypted key"}
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1057625905
> I reproduced. You should delete the first paragraph of the client.key. like this:
>
> ```
> Bag Attributes
> friendlyName: client
> localKeyID: 54 69 6D 65 20 31 36 34 36 31 31 38 36 33 35 38 32 31
> Key Attributes: <No Attributes>
> ```
>
> And then, upload the file.
After I modifed the client.key, this is the result, the question is back to square one, the returned client key is inconsistent with the client.key:
[root@2d8f65f7ad67 tlsDir]# python ./patch_upstream_mtls.py 396932008539849406 ./client.crt ./client.key
201
{"node":{"key":"\/apisix\/upstreams\/396932008539849406","value":{"service_name":"resource-service","hash_on":"vars","type":"roundrobin","update_time":1646277329,"keepalive_pool":{"idle_timeout":60,"requests":1000,"size":320},"pass_host":"pass","scheme":"https","name":"TLSU","timeout":{"send":6,"read":6,"connect":6},"id":"396932008539849406","discovery_type":"nacos","tls":{"client_key":"YnwwDKc5vNzo0OU4StTRQbwgCnTZ3dmYiBFm8aGnvTwyAh+Rz4EWXpJif7colyUhItBIvm962vfX5Me9G9WPJ7iM6UZHWEQx+9ZRQzJHIW8bk4p6790cHQXWM7KhuL2tThtkkjnPSC1ZSOHHZOuIu6cQoXSHc6QxmLnLHluRiZxEhpYbqLhFYDBOoO\/0pwcveMNS71Ccf7YVKIfcNtlFX9HYY+5ORcMAAdaZpEyNci1xjWFI7nJK3UvUy+Nv\/fJI0pDX14Vfy1NeSEsnGIp1pBq+hRhkEvnkEoY7+du94Gh7brlWCBFGnp64PD6iMzwuLJWr29V8n\/7OFkkzLyZzvPEQIrP490C37qcguSelFSMBP\/uwBCYdZnh5sIRloBqdMyTZuzvHOLbP6lKOF8EzrNmYlQbjLwvzTD1dlu1K4164xH0fhhrFF9RGq4NlKyepngu0XsAsVLGGp7MOzIGoa4PrDVLCU67QNrxmBvogQUFZP7Z4t2kab+gQcqEI8SYjY+ILmvbVv\/EEkS2QWAh\/ogwouylpHcfTAjvTYC1C1yMXRFDGeBWmmgohVmOlL3Tup\/mDaegV9LV6GFDa3\/Or\
/Q0sZNR45+Obc5dLmS97wLLvsxcgFQU8OKrr\/1mZNefvMIm\/f7zlbm08VLGDhtWiHlIcTp468xHfY2YaDvimwDGK44qrtfe8aFD7qH\/H1e2nhIy6gbw6kWx0sfEPTSBns34Jhm1cz+Nmu22cIQ2U2N+AnoFEz7E4w0yovi+du+ajLNHqgZjU75e0dCRYN6Zx0D6AxI4L2qO6+HdvhlPDjDhIwcmFAlxZKp+pQWEPIkHJxa5mQ9pGlQ\/SdvWUCTY0bLUk+93Qkzy6JbY0qfpt34CE9\/bJcZC6lY\/ln3L\/JUW2hj2cGUc7MNwy2RscwH71z6fscpXGPAdX6WI9chuCGEZWXGDf58oWPoUmEqn4kZBfEBUkjjg7mjvlXqSTQGFciBlWX\/d6\/dKDCEN5sN0jy5A96uDgDsle6sttsDwptyZShWPi+Fj9\/JXGSPflp42GU0igLNxnGy855XT5cJlyWQUtFUHA7bmKiyrbR1hFkNOxploZK+bt0fJYxlShQaHnusxOFuOpjvDxSSBq\/+7ktmCxp57p4BdzcYTsIKUWFfc3IslJWv5MaHJVaWjJ8LDIc+KA+bhzzRhtJUAora9CHr2k0tRB0m9MfzT+gyOBGSxTiHjaUyQR5D0ulTc4BoESn0vXg95XHljc2RA13l7doIsJD19to5s8YdxuzpqJNHQNPvYEuOtkfM0S5LkslpAxIyEFQWiTHeDOwR6WwKaTVDtZI8sSPDaa8xWcUrSo1kl1Hu2iWNad\/P8cQ\/11cdJ1zlkpAJ8JH6xeeo3uC8rMwoctini30PwdABHnu9lWh+WZ6bSXDIUc3c3qJpeeSztnTh4CU+ZzliwNCiQ6DLqK2M8Uy6x8HFeQ2cODvE7iqOdhwDInRPvY+8OSi3gTP2KIBOoGNkXmQqgWd65R8yAi004j3Sgt37SujmOSdcvtE4MtPWrAg2xvXq3lna0W+gREGOEYmS7uwqm7rmnoLc7\/KLC
DsNWdt+\/HqSScMPHlbg+drrsOF+QJ3SQWMxB8mB4Jt1K1C0S43RKuVAhU96V16wd\/bCamxDvd6Mx7M4WxM2SLGnHqjMyFcC5mElD3Aa9\/CZ+TEfgNmdyIT2EMSpuucIQriIppN7NMcsQddchiB1l4Mqe4kweQVk21XwG\/eLKcdWFtrZ4Kbcwpt4wjESbBBUgQLwVITVr+2MiSAwMRVkRdxJvTlhdy8Ot6Utv4obRY5WseZCFFg9lm\/uj4gw79H9dvg6B1vu5i4NFYYXKfYZ0kyQ3bMHaSmUHUx2UfysZdf5mxa04v4LhNYjaHhjd3mO7dKAwcwt\/UvHU76umTbLVB9jZmFSkS+PFDg4vBFK+f6hK8FXmtD\/QCVABQaFfUX0GBpatr43lIf0drisIIYfu7Oj1sFFRgUJWVqNxznQKQZY9u4M\/32q4dCEGz8bP4bbDGe8+iNOuKSPq2VcpTpxNzdZdyAHYdYCzFGoVmMBjw0q\/vcRHZStP6BeAC0Tv2ucZtHTKSf3mMpT5t9jbYPBPaUDhS+R41i4etN2VFh6ovoj+2WPrMJ0jygxREaaeudwgoGrvWeR6FxB78SXhhCBk8hN5YdRAaAZtsDKg6iL2G52TeIvuykeNMlbqd4ITUYT0T0fBNbgYeE96l7ZKyH0P4xWjxJPTug3elCVOnm7g1UM0hKygxZJpilNs3FfBGnQ0=","client_cert":"Bag Attributes\n friendlyName: client\n localKeyID: 54 69 6D 65 20 31 36 34 36 31 31 38 36 33 35 38 32 31 \nsubject=\/C=CN\/ST=CD\/L=CD\/O=client\/OU=client\/CN=client\nissuer=\/C=CN\/ST=CD\/L=CD\/O=client\/OU=client\/CN=client\n-----BEGIN CERTIFICATE-----\nMI
IDUzCCAjugAwIBAgIEE5RMajANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJD\nTjELMAkGA1UECBMCQ0QxCzAJBgNVBAcTAkNEMQ8wDQYDVQQKEwZjbGllbnQxDzAN\nBgNVBAsTBmNsaWVudDEPMA0GA1UEAxMGY2xpZW50MB4XDTIyMDMwMTA3MTAzNVoX\nDTIzMDIyNDA3MTAzNVowWjELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAkNEMQswCQYD\nVQQHEwJDRDEPMA0GA1UEChMGY2xpZW50MQ8wDQYDVQQLEwZjbGllbnQxDzANBgNV\nBAMTBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIEGlxi0\nvFrEUFJQTiqiJNQUuj0RJ2y0NJB7tVSXjG6ujBygucAO9B1rUL5NJ1lx8Uz\/DIwH\nLogb4QfNoV5i+AltvIESs60EB818KKBFgdsNUlXGDc3Jq7Z3B30OMOc1es6WSrDJ\nODQwl6iyD+kNjsUuVciDv9K\/36gqAMFMKQEULegV3Wzb3F9hJ92p6SAwG7+HqszT\nc0amEbCr9NRBAykVj7dvly4dTaLnkLkvQ66d38d9+n2k4KdLwtkTe\/gNnE98Ppdy\neJdgz3b3cg7rNYjpsU6jDbP8RwgUnFV9VjpEqvmb+XL7c1jaBtYOwIeGQedmBMx0\nnSNTv1\/XwGuHLCECAwEAAaMhMB8wHQYDVR0OBBYEFOu6GZvXCzoq06KrSD6nrh4n\nAVf5MA0GCSqGSIb3DQEBCwUAA4IBAQAOfBB3szjT6mTWjVkWVTi1Ul34lcGspIDH\ni0ZmeZJyD+zA0NOAPVUFhHjq0tw8Ns19L4OD+yRyZB+k\/8QIROoDG0RjOrFzP7oE\nMl0d3A08ot4qmnVcd7L0eab1QxGP1PPHm1a7F51gUoCPEYdNVOPmTFgfbE6i\/4Gh\n0oB
8\/6ZFB9t2QAWrmfzjyM\/CEx3j53h4hcOYiqp7sw7zXPKuYJTpLXj4aZ8mVLF7\nwXuu+I3UQvAOJjssDJ05+WEFerDNlOLryV3QVrVDQW7hYfnmguVc59Fd1OKPirP3\noZ3fyrYEQQN0XOoPT1L+CYPNjY+h9lvGF4QHUr654diXtCFOh8gy\n-----END CERTIFICATE-----\n"},"discovery_args":{"namespace_id":"test","group_name":"test_group"},"create_time":1646119513}},"action":"compareAndSwap"}
[root@2d8f65f7ad67 tlsDir]# cat client.key
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCBBpcYtLxaxFBS
UE4qoiTUFLo9ESdstDSQe7VUl4xurowcoLnADvQda1C+TSdZcfFM/wyMBy6IG+EH
zaFeYvgJbbyBErOtBAfNfCigRYHbDVJVxg3Nyau2dwd9DjDnNXrOlkqwyTg0MJeo
sg/pDY7FLlXIg7/Sv9+oKgDBTCkBFC3oFd1s29xfYSfdqekgMBu/h6rM03NGphGw
q/TUQQMpFY+3b5cuHU2i55C5L0Ound/Hffp9pOCnS8LZE3v4DZxPfD6XcniXYM92
93IO6zWI6bFOow2z/EcIFJxVfVY6RKr5m/ly+3NY2gbWDsCHhkHnZgTMdJ0jU79f
18BrhywhAgMBAAECggEAW7NFXAfH/nKb64SrqV1H83svygsRDA8fdLiXbaGv61Ie
vpH0sm1uTiJhZn8LQmTa7LAwSK0qAw5dZuBcmeqZAop9ePbDwGmm6gIeFZqQ6hCT
veZfFS0J30rFhbm6Q/kcaQsj1nWMfnsyrnCvIiHCoJ2H1lTc1noMCUag9sCcO+kL
SAUGu0KA2EtIJMWfDjXcHMKcoRC4nwysCAjMVZ0C0QlwL1VGPzdgGCLAt4E8xJyB
VA+x59rTuMPAQM0xk5mUgJlA3iwNmdu3vKlBN3iV4YlJeFmxokpe8pytOACzGsfY
akbicVY9lZaNHchLW8jkhM9ARe2gX8ndRs29alwOyQKBgQC2oHf38bAm7jaVYm4W
HP5is/ZPC0JwXb4OVR5rfHzhuDDN32Np5XniMbdQAgy9unppY89XuOdG/MQ98Ded
/Vj8zZjiKMrl8hs+P30hLs1wvwf5yDt0u8G6vLMLt4BZwNecZuByjVBA3pXAdMQn
KE4GsWkbvwiv1q1QHxqsSiV4xwKBgQC03SS++TZ7C+eHFQGnZVm+e6Q2rkoc14gF
tMMOWPqYXdeuPYrmCjQ/SeiF9Fy/f8+Ul9iX+f6OYRe19Es9OS30pyGlfYWprMtS
7qMkXRP3lVqgdxMy2ePP1joi682i4Pq4I9Ls9aXWv2hZCwyHvWaB3DFnWP6KcBDp
SS+jquBb1wKBgQCLVXjSWbpMqXhJlvRouKw5ABaPDgcdldfYNYbk+PCKgi3yFFpT
w/mu4sF6MGYqJukYGUdrJS6HEXhjzS+RwWYwUmgvPHI45/NzFZtRQtUJDSZ3oxYB
pPJUl31/Ffy9/YxCzpa1ry0ooOneEPhK68xD/P01ZxWomoBWXbTK+DMIpwKBgQCF
iZIL/u0exJdZwUTLV6V/YsLILL9DtE8WB3TNLx03SnJoj7/yQS56XBN2dAnWyoN1
bvfYnhg4/68GBS1YMtOfg5bwHVGHCbHFtbR2sNKBRqD3QXPHY+E0HzQlfH0D+aCk
PK8LjgO4HvLoa6QAxPLehrljWO33QO77j7HA4fVtWQKBgASiriIlYFcJKqs2q+OH
fKGmzxDyM4Cq5+IkmcyjwoGWgt8CZR0YaiJgPt/CMviS0KlT3Pzp/SQdsZf/MiEX
zENi+e0YeRW8+MYfKB6Jox2616oOV/SxWCWSfNE54llnmk+MMam49PtYTV3nrRPa
Yl+YJnXe14Lmg8Z22tojoXj1
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong edited a comment on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong edited a comment on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1049437407
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1055009614
> It is mTLS Between APISIX and Upstream, how do I config config.yaml?
This is not done through configuration, which requires you to build APISIX-OpenResty (now called APISIX-Base). The build method has been mentioned above.
> And I refer to the official document to use patch_upstream_mtls.py, and the error is as follows : Refer: [apisix.apache.org/docs/apisix/mtls/#mtls-between-apisix-and-upstream](https://apisix.apache.org/docs/apisix/mtls/#mtls-between-apisix-and-upstream)
Did you follow the documentation exactly? cc #3545 PLAT
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong edited a comment on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong edited a comment on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1056339252
> > @tokers It is mTLS Between APISIX and Upstream, how do I config config.yaml? And I refer to the official document to use patch_upstream_mtls.py, and the error is as follows : Refer: https://apisix.apache.org/docs/apisix/mtls/#mtls-between-apisix-and-upstream
> > 404 {"message":"Key not found"}
>
> You can check out this: https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L147.
The problem was solved. Now it is:
[root@2d8f65f7ad67 tlsDir]# python ./patch_upstream_mtls.py 396932008539849406 ./client.pem ./client.key
400
{"error_msg":"failed to decrypt previous encrypted key"}
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1057763936
I have verified the TLS function, this problem can be closed, and summarize the problems:
1.Openrestry installation for Ubuntu is problematic. Still use centos7.
2.The client.key added in APISIX Dashboar and added using the Admin API return different results. This was not anticipated.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] soulbird commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
soulbird commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1057000986
I reproduced. You should delete the first paragraph of the client.key. like this:
```
Bag Attributes
friendlyName: client
localKeyID: 54 69 6D 65 20 31 36 34 36 31 31 38 36 33 35 38 32 31
Key Attributes: <No Attributes>
```
And then, upload the file.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1049401474
@zhukexingkong Please provide some error logs about apisix-dashboard (the manager-api program).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1054970427
@bzp2010
After I configure TLS configuration for the route, the following error occurs when I access the route through APISIX, it is APISIX's error.log:
2022/03/01 11:20:39 [error] 25702#25702: *9204101 [lua] init.lua:520: http_access_phase(): failed to set upstream: need to build APISIX-OpenResty to support upstream mTLS, client: ::1, server: _, request: "GET /test/getUser?id=1 HTTP/1.1", host: "localhost:9080"
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong edited a comment on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong edited a comment on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1049417593
@[tokers](https://github.com/tokers) When I query the route list after creating a route in Dashboard, the error. Log of Dashboard shows the following information:
2022-02-24T09:55:32.577+0800 WARN store/store.go:154 data not found by key: 396174040680628944
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1049417593
When I query the route list after creating a route in Dashboard, the error. Log of Dashboard shows the following information:
2022-02-24T09:55:32.577+0800 WARN store/store.go:154 data not found by key: 396174040680628944
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] bzp2010 commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
bzp2010 commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1053449323
> @bzp2010 Please take a look when you have time, I'm not sure whether this error will cause the `500 Internal Error`.
This does not cause an error, in fact, it is an error reported by APISIX and you should check the log in APISIX's error.log to determine the cause.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1055176740
> Bag Attributes
> friendlyName: client
> localKeyID: 54 69 6D 65 20 31 36 34 36 31 31 38 36 33 35 38 32 31
> Key Attributes:
I think it is the format of this paragraph is wrong, you can refer to the format of cert he key under `t/certs` and use the official reference py sctipt to read them.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong edited a comment on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong edited a comment on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1057615774
> > > > @tokers It is mTLS Between APISIX and Upstream, how do I config config.yaml? And I refer to the official document to use patch_upstream_mtls.py, and the error is as follows : Refer: https://apisix.apache.org/docs/apisix/mtls/#mtls-between-apisix-and-upstream
> > > > 404 {"message":"Key not found"}
> > >
> > >
> > > You can check out this: https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L147.
> >
> >
> > The problem was solved. Now it is: [root@2d8f65f7ad67 tlsDir]# python ./patch_upstream_mtls.py 396932008539849406 ./client.pem ./client.key 400 {"error_msg":"failed to decrypt previous encrypted key"}
>
> How did you solve it? Could you share your solution?
It's the upstream is not exist, just create an upstream in the APISIX Dashboard and get its ID, It's an oversight on my part. I'm sorry.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong edited a comment on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong edited a comment on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1057759913
I noticed that client. key was also displayed as an encrypted string in the APISIX Dashboard, but if I pasted in APISIX dashboard with the original contents of client.key, can also succeed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1053809681
@tokers
The APISIX's error.log:
2022-02-28T10:26:57.004+0800 WARN store/store.go:154 data not found by key: 395051487660606160
This is the admin API command:
curl http://localhost:9080/apisix/admin/routes/395051487660606160?api_key=admin -X PUT -i -d '
{
"uri": "/test/getUser",
"name": "getUser",
"methods": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH",
"HEAD",
"OPTIONS",
"CONNECT",
"TRACE"
],
"upstream": {
"nodes": [
{
"host": "127.0.0.1",
"port": 8090,
"weight": 1
}
],
"timeout": {
"connect": 6,
"send": 6,
"read": 6
},
"type": "roundrobin",
"scheme": "https",
"pass_host": "pass",
"tls": {
"client_cert": "-----BEGIN CERTIFICATE-----\nMIIDUzCCAjugAwIBAgIEEaZzijANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJD\nTjELMAkGA1UECBMCQ0QxCzAJBgNVBAcTAkNEMQ8wDQYDVQQKEwZjbGllbnQxDzAN\nBgNVBAsTBmNsaWVudDEPMA0GA1UEAxMGY2xpZW50MB4XDTIyMDIyMzA5MDcxMloX\nDTIzMDIxODA5MDcxMlowWjELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAkNEMQswCQYD\nVQQHEwJDRDEPMA0GA1UEChMGY2xpZW50MQ8wDQYDVQQLEwZjbGllbnQxDzANBgNV\nBAMTBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI7YbpKb\nJyl0jHxHyDZWyJfWwwC9witknq0ETFZeMAVPnz52iz6rBchB/z09SYsYWRaKH6JO\nnOSHKZW3vrqL4vZvQkt5EWQ+SVS5xJ1iG56Xrcmp4PQw2TwuEUUTcerX3L+0rjWY\nGZpMyeptEc77Lq1ytmEx5P6k7s5tOP7sNhJUYHW5L8x5W4zV93XzEj+We/wKjUyP\nN/X9ufnNTw3UlLJbUK2FjAJbtBWWeRbr1JkkoNtKZ9sLz39gAYQyYlIH18e7yjWu\nLNDx8/VeysOwCVMIm1xP2zqMs0812GCLKOYniSq8INsskkjp4g4a4h0G/2EXewcm\nwr9+6nOijdaeubMCAwEAAaMhMB8wHQYDVR0OBBYEFN+KLFSK+Ys6+mXUR+VFn3iG\nhKiCMA0GCSqGSIb3DQEBCwUAA4IBAQAIj0RZ6Kh4ls5pggcSAf2w9WWvOABuT1ig\nSgGMbZncBJU078ABy0XfvsUz8XZMvVJaV/o5THJFJtWgcA8SscABv+c32A9jd/4M\ncyTlc3SpGXv7OTPnkPjI
AMp2i7TNoD1f2s+ZrpyK2tJI1gxMvjjeniQsPCKy0EPe\nFeu428xyN4LE6PwiC58TgbLE9K/CNFJLrcLvcM0CdBJ+XBNW3ZxV38izWMzkaCBn\n1axcwGkerhZAsgSNr7VL14iS4xiijkNrbUoHANlLEKgaHacDwrG5uySQZDzGmFOB\n+79IF49dnrIQFpIU1jT0y88YB2Jqj1DdM9ybT559cLGQOrHFa7t0\n-----END CERTIFICATE-----",
"client_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCO2G6SmycpdIx8\nR8g2VsiX1sMAvcIrZJ6tBExWXjAFT58+dos+qwXIQf89PUmLGFkWih+iTpzkhymV\nt766i+L2b0JLeRFkPklUucSdYhuel63JqeD0MNk8LhFFE3Hq19y/tK41mBmaTMnq\nbRHO+y6tcrZhMeT+pO7ObTj+7DYSVGB1uS/MeVuM1fd18xI/lnv8Co1Mjzf1/bn5\nzU8N1JSyW1CthYwCW7QVlnkW69SZJKDbSmfbC89/YAGEMmJSB9fHu8o1rizQ8fP1\nXsrDsAlTCJtcT9s6jLNPNdhgiyjmJ4kqvCDbLJJI6eIOGuIdBv9hF3sHJsK/fupz\noo3WnrmzAgMBAAECggEAZSLl/tTtQFOtl9y264o8Ug0TWfYAgPqnwfY2GjxroYcD\nR5Vk90TdPjFEBtbauCnQAb5fsWoZeVAdaEyFNM0QL80MUiVw49mZz+wLQicRSRM5\nT3wAssPXOt2fCpo+4LhfKjhB095R2kad+2Wn4zVCkjmS2XQbHxQlpG/+l7ckfYrD\nFukiyXQhwshARuvX9X4uvssuRITqyco0Zyqfqxn3BqTOZItukYE+nuIaCigVCD8u\nA75N1plqgnj1gm/Hwiob6gAYBr4P8cyFF+Vu4LAkUfWifD7LBDgSD/IIq2vVvb5q\nQgS8In2qg3an9+nKtBmQFFeTMuEscpKY9SZQZ2iASQKBgQDGynHxhDsPkUQXmDly\nakFj2OWus6/Qb5hv2eaSAKI6GLGKb1wnROuj13cuTnxTbEsBfGGgffNE9S82eXZ1\nvWGchLqbl4rw6vNz2eLVUf2u39Pb3IUu6yWhW8lJFUzWE+jbodojP3U5pXljX7Ij\nmIwhOq7IdyB/fk32pUVIO
/p5bwKBgQC39FAOSRaBkiuvnjBygLcrvWAmkdZayDQ1\nSjeuXGh1qfTHiv0UUTcEBYM3+qsVPIR97SZlc6o+BJdErP21kHDFJ/Wq75pchZzr\nb2b6eDTwI9kW8jzCnabHwauNBLLgmkRqaTbrnwcOvzTH2KINfBNuiJ2b96wuz0HC\nltl8oiU5/QKBgE182FF2Y7c7vrkbwzjQJlEPWOhyblPnTBo9a9z5lkLjIUF/CwLb\noKaq9G/+dAPosIwRudRfhBYbJJ4tVnmqqoPiUQMZXTVvwBomkn7oiORDp0eKe/e/\n/VkaeCmeveasuBX0zxzyPXWNBPYxdTTe37CMOVk25loMF8POxGTVzFrNAoGADR9F\ncq9uBpIpwZ5UMGbUKi+ZI0c19kXfy4lezXZUEUitaGqWwRNGDGhkQuMDv0EQ5na7\nTXNhyojDTafVdVU3ZikCkk4DQeRaHEVXIDjg9dxoyQVAplVep1M+bJHQPMtkY/7b\nZxVyCHBFUJg4fyPBsxnVvGF/i9tHAp2GKCjc5PUCgYEAuN3t+saLpOXqyJp+RV7f\nA0ISr3R8o+LYSc54arYCeuUXqBO8Qr43TRZHeWSQdnzyNrwngQsbBqzj9f02TJ20\nr2JMqfY3XUN7jiZKf1RaEDhyYRSh3K6xCUrXg4ydJbqGYfVt8W27GLfJuOTuL6Lm\nigLTHWPY9lZb5lOz26LnZPI=\n-----END PRIVATE KEY-----"
},
"keepalive_pool": {
"idle_timeout": 60,
"requests": 1000,
"size": 320
}
},
"status": 1
}'
And this is the respose, note that the client_key returned is different from the client_key entered:
HTTP/1.1 200 OK
Date: Mon, 28 Feb 2022 02:24:23 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/2.12.1
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: *
Access-Control-Max-Age: 3600
{
"action": "set",
"node": {
"key": "\/apisix\/routes\/395051487660606160",
"value": {
"priority": 0,
"upstream": {
"pass_host": "pass",
"scheme": "https",
"timeout": {
"connect": 6,
"read": 6,
"send": 6
},
"tls": {
"client_key": "YnwwDKc5vNzo0OU4StTRQbwgCnTZ3dmYiBFm8aGnvTwxKvJJ1WgSomNREpjNtjohs1L21CS1IT5LT8yk+6RKOkyG5eN5BnHp9qMm5g1GPZEq\/uH40PW3qEDX70xQ+4I04YOmHNFv\/O3u0y2kiT5xN\/Ge+1RD1c\/+HJiQWvpJRaDrKz6qONMyF3Fqw9wj2v6qSuWx3K5MevdYiUYsHwibclWncP1eV9UqICC6GBGk0WLR2Cyq8T\/d0kzWbFCSjSCaHO+RRwMMs7sugvRhl1ozUgcbKjDnyiH0t606ToPcvS4LcfkhrCcPvCho0leWOGYfmpsdqwv0jph58\/7SDLOEy0dNRPzyVZxgA0+k6ZxyE7I8Hmbc4C4hWLzJPmzlNtKpoBQw2ALnBaHhNDDG2G\/9+jGOFRnu+PBMT6uaMPA2V9xi3v6PZPieYlCOxbEfRbPwVhb\/oqqBeuM5KII6CHCGfiYQFrtGnjTbN6pexXfvVs\/ctZaTEAqDftf44dpW3TMUSU8O6PcDVc194vPvuigy1z\/7rKtJ2+h2kvI\/XY0ZTLu20KhldbvDc6qgHUUFnT7NK1nYhfqjwm9J7Y3vG4GVFhUg6KrvOInRfqm1fVWlqPQuHIEPE+Zi6Exi7XO1r4Ff0yhtwYhRew3M1Ch143GOQQDQ8ent3SJZ21pUGzImjMAiA0SNng81+uSB+KATUQk1Sjgo3iUyMtzu+v3cWRhh2v3QMt9b0\/FvF2GwpkLZ3CPoa2+4Rfd5Y2Vov9\/vfSh4GqXR0+j6lIkFg\/yg9o5wkxDSJnEGFOBt2cqXI\/T+UOll1VGMinOBmdnM9w+q5wXcowJ\/N5D1HzRJRajp0C7Z\/FmGZuqaUwChDBRz4r+\/94tg5gVea9yjOFjm0DzT4ur7GsAQke1JhksfKsZvsa+pWAYD\/+eyXN5eIn+JLnZZiuLM4kdWKxQ5FE3OSKo\
/QzWVn9vOWNH4UI8LF9Jh6WoZuDJP7cWyiqnQrrKtTKruhSQdFrCeKWdtMdCdKfNwYdyqHz2Yr\/LznFfG5CiZjEv+7mFqdKZzqGCW4MvVTRUiUPqCpeh7TUSRSzC\/ujo+o1eMzF8Zq9Hhf2+OMMhVQV5oo1LRu89jjQNWSFUerKfVAp5JINUJGmHe2pkyI2ZoSfj4Cs+WeC9N1qU4OZGmvPcvJNl4JpHHML1l4FRIxfQmQ4FWpmePWvjK55IuwCx4\/Wr05CZycMK9kIon1nRaLonYdk57UB2D0ridALR2zE8IIxobd\/EotEBbDviOMQWCRDBvMwN0A6FMRFHLITfvA17dhS2jmvToP4Fj\/EWNomAiV4rlqr0N34T4WkTYeJZOcixvx7oPvbVIGM6KGp3mVdTCrO8hpvKCc6hLnWPDGZA6\/g1AzC\/7YEaUC2TzLCf\/90\/z+QSTvkf9sdQpsH6m2gz1iDvuGG2\/YRnJrF7LJoKQF9s3y8e\/u2K37yQGeJLy9VTZirdcNrx0nqnjI1LxzRWeAg2nOe1eDb4VmPExNBCyg01NuP6DQ7c7wDT8wYJc3dFoGA35TCuUrlc4FU09tyoixEyPTgWYPn6qXT\/a\/8WEmTLeYnmvvNQZ0dsfSaN24oCVOvXWSPBLUItfuvzoyMZScNKX3j8SIPzT7u41oS6zQ1q1\/CHbWY\/rU+ZcUGrFTRcfipVGwuWh0Pznir3zuSEIifdz\/dqaajchTClSJ978pSw\/TiAzCYbzDo+eRyDbfPDHqNRiPQukiqjZyZeu5apSCqKaC5A+GD+lx8ycf7it3rxF43A3VvC5MpBNwSa+bNuT3iB0b3d1kYCp64xYap9zkTb28Km\/x2M942jSyLIFNtCNsVNZ3J\/ABWjW92aNvhqKi0l1acRQhtlXN7kXWulBXzYHCAeSDVEyGljK53Qf18wUSNPIgzSURpOqdDraUSLY5V\/PW4Gy1xd\
/2dNYLdVUGje+grALXUVG+ucw8mxzJapmSwPR81qRIPanpPkSIyghcOtsV4GnAxKOIFVxk44LChDU13Jt4PgD5yw71xnHczOC1T4vwdzLxaPv+XRlrr0OpF+IVaWjigOOv6S+XoWCHAkHfw\/jpmqAz32ArajL4mc07QkvEFdieRN5E+NRdn670lKibJCTvsAT4OloOMw6WA+oxXUz3w0iOJUC5GqzaXICaN4vFDkQfpG8lHfnpW0icf5+\/OM8JnFOJaSOpZ1tIfAYXG9OjL4cOrrIOzkpqM52GOr9enUEjPDWHAhmt90MbTrIMIvUwfoiOA5CLrrzK+SG9BnPAFPKdE7IK5L+Kf0=",
"client_cert": "-----BEGIN CERTIFICATE-----\nMIIDUzCCAjugAwIBAgIEEaZzijANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJD\nTjELMAkGA1UECBMCQ0QxCzAJBgNVBAcTAkNEMQ8wDQYDVQQKEwZjbGllbnQxDzAN\nBgNVBAsTBmNsaWVudDEPMA0GA1UEAxMGY2xpZW50MB4XDTIyMDIyMzA5MDcxMloX\nDTIzMDIxODA5MDcxMlowWjELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAkNEMQswCQYD\nVQQHEwJDRDEPMA0GA1UEChMGY2xpZW50MQ8wDQYDVQQLEwZjbGllbnQxDzANBgNV\nBAMTBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI7YbpKb\nJyl0jHxHyDZWyJfWwwC9witknq0ETFZeMAVPnz52iz6rBchB\/z09SYsYWRaKH6JO\nnOSHKZW3vrqL4vZvQkt5EWQ+SVS5xJ1iG56Xrcmp4PQw2TwuEUUTcerX3L+0rjWY\nGZpMyeptEc77Lq1ytmEx5P6k7s5tOP7sNhJUYHW5L8x5W4zV93XzEj+We\/wKjUyP\nN\/X9ufnNTw3UlLJbUK2FjAJbtBWWeRbr1JkkoNtKZ9sLz39gAYQyYlIH18e7yjWu\nLNDx8\/VeysOwCVMIm1xP2zqMs0812GCLKOYniSq8INsskkjp4g4a4h0G\/2EXewcm\nwr9+6nOijdaeubMCAwEAAaMhMB8wHQYDVR0OBBYEFN+KLFSK+Ys6+mXUR+VFn3iG\nhKiCMA0GCSqGSIb3DQEBCwUAA4IBAQAIj0RZ6Kh4ls5pggcSAf2w9WWvOABuT1ig\nSgGMbZncBJU078ABy0XfvsUz8XZMvVJaV\/o5THJFJtWgcA8SscABv+c32A9jd\/4M\ncyTlc3SpGXv7OT
PnkPjIAMp2i7TNoD1f2s+ZrpyK2tJI1gxMvjjeniQsPCKy0EPe\nFeu428xyN4LE6PwiC58TgbLE9K\/CNFJLrcLvcM0CdBJ+XBNW3ZxV38izWMzkaCBn\n1axcwGkerhZAsgSNr7VL14iS4xiijkNrbUoHANlLEKgaHacDwrG5uySQZDzGmFOB\n+79IF49dnrIQFpIU1jT0y88YB2Jqj1DdM9ybT559cLGQOrHFa7t0\n-----END CERTIFICATE-----"
},
"type": "roundrobin",
"keepalive_pool": {
"requests": 1000,
"size": 320,
"idle_timeout": 60
},
"hash_on": "vars",
"nodes": [{
"host": "127.0.0.1",
"priority": 0,
"weight": 1,
"port": 8090
}]
},
"methods": ["GET", "POST", "PUT", "DELETE", "PATCH", "HEAD", "OPTIONS", "CONNECT", "TRACE"],
"name": "getUser",
"update_time": 1646015063,
"id": "395051487660606160",
"uri": "\/test\/getUser",
"create_time": 1645667677,
"status": 1
}
}
}
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong edited a comment on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong edited a comment on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1056339252
> > @tokers It is mTLS Between APISIX and Upstream, how do I config config.yaml? And I refer to the official document to use patch_upstream_mtls.py, and the error is as follows : Refer: https://apisix.apache.org/docs/apisix/mtls/#mtls-between-apisix-and-upstream
> > 404 {"message":"Key not found"}
>
> You can check out this: https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L147.
The problem was solved. Now it is:
[root@2d8f65f7ad67 tlsDir]# python ./patch_upstream_mtls.py 396932008539849406 ./client.crt ./client.key
400
{"error_msg":"failed to decrypt previous encrypted key"}
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong removed a comment on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong removed a comment on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1057621767
> I reproduced. You should delete the first paragraph of the client.key. like this:
>
> ```
> Bag Attributes
> friendlyName: client
> localKeyID: 54 69 6D 65 20 31 36 34 36 31 31 38 36 33 35 38 32 31
> Key Attributes: <No Attributes>
> ```
>
> And then, upload the file.
Error reporting is back to square one.
When I modified the client.key, the following error occurred. If config.yaml needs to be modified if upstream enables TLS, I will do so, but the official document does not seem to indicate that needs to modify config.yaml for upstream TLS.
Note: the system is centos7
[root@2d8f65f7ad67 tlsDir]# python ./patch_upstream_mtls.py 396921614249231056 ./client.pem ./client.key
404
{"message":"Key not found"}
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong edited a comment on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong edited a comment on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1057615774
> > > > @tokers It is mTLS Between APISIX and Upstream, how do I config config.yaml? And I refer to the official document to use patch_upstream_mtls.py, and the error is as follows : Refer: https://apisix.apache.org/docs/apisix/mtls/#mtls-between-apisix-and-upstream
> > > > 404 {"message":"Key not found"}
> > >
> > >
> > > You can check out this: https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L147.
> >
> >
> > The problem was solved. Now it is: [root@2d8f65f7ad67 tlsDir]# python ./patch_upstream_mtls.py 396932008539849406 ./client.pem ./client.key 400 {"error_msg":"failed to decrypt previous encrypted key"}
>
> How did you solve it? Could you share your solution?
It's the upstream is not exist, just create an upstream in the APISIX Dashboard and get its ID
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1056336485
@tzssangglass
1.The certificate and key are ok. The verification is as follows:
[root@2d8f65f7ad67 tlsDir]# openssl x509 -in client.pem -pubkey -noout -outform pem | sha256sum
2ec0f9b02e96d824bc1c63179deacaea98320d9f94747070a5e0307a9c96ba1c -
[root@2d8f65f7ad67 tlsDir]# openssl pkey -in client.key -pubout -outform pem | sha256sum
2ec0f9b02e96d824bc1c63179deacaea98320d9f94747070a5e0307a9c96ba1c -
2.The certificate and the key I uploaded to github, you can use the admin API to test and see if you can reproduce:
https://github.com/zhukexingkong/SpringTest/tree/master/firstApplication/src/main/java/com/learn/apisixtls
3.I generated the certificate and key using the following command:
<server>
keytool -genkey -alias server -keyalg RSA -keystore server.p12 -validity 360 -storepass 123456 -storetype PKCS12 -keysize 2048 -dname "CN=localhost, OU=localhost, O=localhost, L=CD, ST=CD, C=CN"
<client>
keytool -genkey -alias client -keyalg RSA -keystore client.p12 -validity 360 -storepass 123456 -storetype PKCS12 -keysize 2048 -dname "CN=client, OU=client, O=client, L=CD, ST=CD, C=CN"
p12 to cer:
keytool -keystore client.p12 -export -alias client -file client.cer
Server trusts client certificates:
keytool -import -file client.cer -keystore server.p12
View the server key list:
keytool -list -keystore server.p12 -storepass 123456 -storetype PKCS12
p12 to key:
openssl pkcs12 -in client.p12 -nocerts -nodes -out client.key
p12 to crt:
openssl pkcs12 -in client.p12 -nokeys -out client.crt
crt to pem:
openssl x509 -in client.crt -out client.pem -outform PEM
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1056339252
> > @tokers It is mTLS Between APISIX and Upstream, how do I config config.yaml? And I refer to the official document to use patch_upstream_mtls.py, and the error is as follows : Refer: https://apisix.apache.org/docs/apisix/mtls/#mtls-between-apisix-and-upstream
> > 404 {"message":"Key not found"}
>
> You can check out this: https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L147.
The problem was solved. Now it is:
{"error_msg":"failed to decrypt previous encrypted key"}
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong edited a comment on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong edited a comment on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1049417593
@tokers When I query the route list after creating a route in Dashboard, the error. Log of Dashboard shows the following information:
2022-02-24T09:55:32.577+0800 WARN store/store.go:154 data not found by key: 396174040680628944
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1049423844
Can you organize the reproduction steps?
From your description, I found a mix of admin-api and APISIX Dashboard, which I'm not sure how to reproduce.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1057759913
I noticed that client. key was also displayed as an encrypted string in the APISIX Dashboard, but if I pasted in the original contents of client.key, can also succeed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong edited a comment on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong edited a comment on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1057625905
> I reproduced. You should delete the first paragraph of the client.key. like this:
>
> ```
> Bag Attributes
> friendlyName: client
> localKeyID: 54 69 6D 65 20 31 36 34 36 31 31 38 36 33 35 38 32 31
> Key Attributes: <No Attributes>
> ```
>
> And then, upload the file.
After I modifed the client.key, this is the result, the question is back to square one, the returned client key is inconsistent with the client.key:
[root@2d8f65f7ad67 tlsDir]# python ./patch_upstream_mtls.py 396932008539849406 ./client.pem ./client.key
201
{"node":{"key":"\/apisix\/upstreams\/396932008539849406","value":{"service_name":"resource-service","hash_on":"vars","create_time":1646119513,"update_time":1646278754,"keepalive_pool":{"idle_timeout":60,"requests":1000,"size":320},"pass_host":"pass","scheme":"https","id":"396932008539849406","timeout":{"send":6,"read":6,"connect":6},"name":"TLSU","discovery_type":"nacos","tls":
{"client_key":"YnwwDKc5vNzo0OU4StTRQbwgCnTZ3dmYiBFm8aGnvTwyAh+Rz4EWXpJif7colyUhItBIvm962vfX5Me9G9WPJ7iM6UZHWEQx+9ZRQzJHIW8bk4p6790cHQXWM7KhuL2tThtkkjnPSC1ZSOHHZOuIu6cQoXSHc6QxmLnLHluRiZxEhpYbqLhFYDBOoO\/0pwcveMNS71Ccf7YVKIfcNtlFX9HYY+5ORcMAAdaZpEyNci1xjWFI7nJK3UvUy+Nv\/fJI0pDX14Vfy1NeSEsnGIp1pBq+hRhkEvnkEoY7+du94Gh7brlWCBFGnp64PD6iMzwuLJWr29V8n\/7OFkkzLyZzvPEQIrP490C37qcguSelFSMBP\/uwBCYdZnh5sIRloBqdMyTZuzvHOLbP6lKOF8EzrNmYlQbjLwvzTD1dlu1K4164xH0fhhrFF9RGq4NlKyepngu0XsAsVLGGp7MOzIGoa4PrDVLCU67QNrxmBvogQUFZP7Z4t2kab+gQcqEI8SYjY+ILmvbVv\/EEkS2QWAh\/ogwouylpHcfTAjvTYC1C1yMXRFDGeBWmmgohVmOlL3Tup\/mDaegV9LV6GFDa3\/Or\/Q0sZNR45+Obc5dLmS97wLLvsxcgFQU8OKrr\/1mZNefvMIm\/f7zlbm08VLGDhtWiHlIcTp468xHfY2YaDvimwDGK44qrtfe8aFD7qH\/H1e2nhIy6gbw6kWx0sfEPTSBns34Jhm1cz+Nmu22cIQ2U2N+AnoFEz7E4w0yovi+du+ajLNHqgZjU75e0dCRYN6Zx0D6AxI4L2qO6+HdvhlPDjDhIwcmFAlxZKp+pQWEPIkHJxa5mQ9pGlQ\/SdvWUCTY0bLUk+93Qkzy6JbY0qfpt34CE9\/bJcZC6lY\/ln3L\/JUW2hj2cGUc7MNwy2RscwH71z6fscpXGPAdX6WI9chuCGEZWXGDf58oWPoUmEqn4kZBfEBUk
jjg7mjvlXqSTQGFciBlWX\/d6\/dKDCEN5sN0jy5A96uDgDsle6sttsDwptyZShWPi+Fj9\/JXGSPflp42GU0igLNxnGy855XT5cJlyWQUtFUHA7bmKiyrbR1hFkNOxploZK+bt0fJYxlShQaHnusxOFuOpjvDxSSBq\/+7ktmCxp57p4BdzcYTsIKUWFfc3IslJWv5MaHJVaWjJ8LDIc+KA+bhzzRhtJUAora9CHr2k0tRB0m9MfzT+gyOBGSxTiHjaUyQR5D0ulTc4BoESn0vXg95XHljc2RA13l7doIsJD19to5s8YdxuzpqJNHQNPvYEuOtkfM0S5LkslpAxIyEFQWiTHeDOwR6WwKaTVDtZI8sSPDaa8xWcUrSo1kl1Hu2iWNad\/P8cQ\/11cdJ1zlkpAJ8JH6xeeo3uC8rMwoctini30PwdABHnu9lWh+WZ6bSXDIUc3c3qJpeeSztnTh4CU+ZzliwNCiQ6DLqK2M8Uy6x8HFeQ2cODvE7iqOdhwDInRPvY+8OSi3gTP2KIBOoGNkXmQqgWd65R8yAi004j3Sgt37SujmOSdcvtE4MtPWrAg2xvXq3lna0W+gREGOEYmS7uwqm7rmnoLc7\/KLCDsNWdt+\/HqSScMPHlbg+drrsOF+QJ3SQWMxB8mB4Jt1K1C0S43RKuVAhU96V16wd\/bCamxDvd6Mx7M4WxM2SLGnHqjMyFcC5mElD3Aa9\/CZ+TEfgNmdyIT2EMSpuucIQriIppN7NMcsQddchiB1l4Mqe4kweQVk21XwG\/eLKcdWFtrZ4Kbcwpt4wjESbBBUgQLwVITVr+2MiSAwMRVkRdxJvTlhdy8Ot6Utv4obRY5WseZCFFg9lm\/uj4gw79H9dvg6B1vu5i4NFYYXKfYZ0kyQ3bMHaSmUHUx2UfysZdf5mxa04v4LhNYjaHhjd3mO7dKAwcwt\/UvHU76umTbLVB9jZmFSkS+PFDg4vBFK+f6hK8FXmt
D\/QCVABQaFfUX0GBpatr43lIf0drisIIYfu7Oj1sFFRgUJWVqNxznQKQZY9u4M\/32q4dCEGz8bP4bbDGe8+iNOuKSPq2VcpTpxNzdZdyAHYdYCzFGoVmMBjw0q\/vcRHZStP6BeAC0Tv2ucZtHTKSf3mMpT5t9jbYPBPaUDhS+R41i4etN2VFh6ovoj+2WPrMJ0jygxREaaeudwgoGrvWeR6FxB78SXhhCBk8hN5YdRAaAZtsDKg6iL2G52TeIvuykeNMlbqd4ITUYT0T0fBNbgYeE96l7ZKyH0P4xWjxJPTug3elCVOnm7g1UM0hKygxZJpilNs3FfBGnQ0=",
"client_cert":"-----BEGIN CERTIFICATE-----\nMIIDUzCCAjugAwIBAgIEE5RMajANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJD\nTjELMAkGA1UECBMCQ0QxCzAJBgNVBAcTAkNEMQ8wDQYDVQQKEwZjbGllbnQxDzAN\nBgNVBAsTBmNsaWVudDEPMA0GA1UEAxMGY2xpZW50MB4XDTIyMDMwMTA3MTAzNVoX\nDTIzMDIyNDA3MTAzNVowWjELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAkNEMQswCQYD\nVQQHEwJDRDEPMA0GA1UEChMGY2xpZW50MQ8wDQYDVQQLEwZjbGllbnQxDzANBgNV\nBAMTBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIEGlxi0\nvFrEUFJQTiqiJNQUuj0RJ2y0NJB7tVSXjG6ujBygucAO9B1rUL5NJ1lx8Uz\/DIwH\nLogb4QfNoV5i+AltvIESs60EB818KKBFgdsNUlXGDc3Jq7Z3B30OMOc1es6WSrDJ\nODQwl6iyD+kNjsUuVciDv9K\/36gqAMFMKQEULegV3Wzb3F9hJ92p6SAwG7+HqszT\nc0amEbCr9NRBAykVj7dvly4dTaLnkLkvQ66d38d9+n2k4KdLwtkTe\/gNnE98Ppdy\neJdgz3b3cg7rNYjpsU6jDbP8RwgUnFV9VjpEqvmb+XL7c1jaBtYOwIeGQedmBMx0\nnSNTv1\/XwGuHLCECAwEAAaMhMB8wHQYDVR0OBBYEFOu6GZvXCzoq06KrSD6nrh4n\nAVf5MA0GCSqGSIb3DQEBCwUAA4IBAQAOfBB3szjT6mTWjVkWVTi1Ul34lcGspIDH\ni0ZmeZJyD+zA0NOAPVUFhHjq0tw8Ns19L4OD+yRyZB+k\/8QIROoDG0RjOrFzP7oE\nMl0d3A08ot4qmnVcd7L0ea
b1QxGP1PPHm1a7F51gUoCPEYdNVOPmTFgfbE6i\/4Gh\n0oB8\/6ZFB9t2QAWrmfzjyM\/CEx3j53h4hcOYiqp7sw7zXPKuYJTpLXj4aZ8mVLF7\nwXuu+I3UQvAOJjssDJ05+WEFerDNlOLryV3QVrVDQW7hYfnmguVc59Fd1OKPirP3\noZ3fyrYEQQN0XOoPT1L+CYPNjY+h9lvGF4QHUr654diXtCFOh8gy\n-----END CERTIFICATE-----\n"},"discovery_args":{"group_name":"test_group","namespace_id":"test"},"type":"roundrobin"}},"action":"compareAndSwap"}
[root@2d8f65f7ad67 tlsDir]# cat client.key
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCBBpcYtLxaxFBS
UE4qoiTUFLo9ESdstDSQe7VUl4xurowcoLnADvQda1C+TSdZcfFM/wyMBy6IG+EH
zaFeYvgJbbyBErOtBAfNfCigRYHbDVJVxg3Nyau2dwd9DjDnNXrOlkqwyTg0MJeo
sg/pDY7FLlXIg7/Sv9+oKgDBTCkBFC3oFd1s29xfYSfdqekgMBu/h6rM03NGphGw
q/TUQQMpFY+3b5cuHU2i55C5L0Ound/Hffp9pOCnS8LZE3v4DZxPfD6XcniXYM92
93IO6zWI6bFOow2z/EcIFJxVfVY6RKr5m/ly+3NY2gbWDsCHhkHnZgTMdJ0jU79f
18BrhywhAgMBAAECggEAW7NFXAfH/nKb64SrqV1H83svygsRDA8fdLiXbaGv61Ie
vpH0sm1uTiJhZn8LQmTa7LAwSK0qAw5dZuBcmeqZAop9ePbDwGmm6gIeFZqQ6hCT
veZfFS0J30rFhbm6Q/kcaQsj1nWMfnsyrnCvIiHCoJ2H1lTc1noMCUag9sCcO+kL
SAUGu0KA2EtIJMWfDjXcHMKcoRC4nwysCAjMVZ0C0QlwL1VGPzdgGCLAt4E8xJyB
VA+x59rTuMPAQM0xk5mUgJlA3iwNmdu3vKlBN3iV4YlJeFmxokpe8pytOACzGsfY
akbicVY9lZaNHchLW8jkhM9ARe2gX8ndRs29alwOyQKBgQC2oHf38bAm7jaVYm4W
HP5is/ZPC0JwXb4OVR5rfHzhuDDN32Np5XniMbdQAgy9unppY89XuOdG/MQ98Ded
/Vj8zZjiKMrl8hs+P30hLs1wvwf5yDt0u8G6vLMLt4BZwNecZuByjVBA3pXAdMQn
KE4GsWkbvwiv1q1QHxqsSiV4xwKBgQC03SS++TZ7C+eHFQGnZVm+e6Q2rkoc14gF
tMMOWPqYXdeuPYrmCjQ/SeiF9Fy/f8+Ul9iX+f6OYRe19Es9OS30pyGlfYWprMtS
7qMkXRP3lVqgdxMy2ePP1joi682i4Pq4I9Ls9aXWv2hZCwyHvWaB3DFnWP6KcBDp
SS+jquBb1wKBgQCLVXjSWbpMqXhJlvRouKw5ABaPDgcdldfYNYbk+PCKgi3yFFpT
w/mu4sF6MGYqJukYGUdrJS6HEXhjzS+RwWYwUmgvPHI45/NzFZtRQtUJDSZ3oxYB
pPJUl31/Ffy9/YxCzpa1ry0ooOneEPhK68xD/P01ZxWomoBWXbTK+DMIpwKBgQCF
iZIL/u0exJdZwUTLV6V/YsLILL9DtE8WB3TNLx03SnJoj7/yQS56XBN2dAnWyoN1
bvfYnhg4/68GBS1YMtOfg5bwHVGHCbHFtbR2sNKBRqD3QXPHY+E0HzQlfH0D+aCk
PK8LjgO4HvLoa6QAxPLehrljWO33QO77j7HA4fVtWQKBgASiriIlYFcJKqs2q+OH
fKGmzxDyM4Cq5+IkmcyjwoGWgt8CZR0YaiJgPt/CMviS0KlT3Pzp/SQdsZf/MiEX
zENi+e0YeRW8+MYfKB6Jox2616oOV/SxWCWSfNE54llnmk+MMam49PtYTV3nrRPa
Yl+YJnXe14Lmg8Z22tojoXj1
-----END PRIVATE KEY-----
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong edited a comment on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong edited a comment on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1049437407
1. Prepare a Springboot service
2. Enable TLS, prepare server.p12 and client.p12, and use client.p12 to generate the client.cer, server.p12 trusts the client.cer
3. Sprintboot enable TLS configuration:
server:
port: 8090
ssl:
## 服务端配置
key-store-type: PKCS12
key-store: classpath:key/server.p12
key-store-password: 123456
key-alias: server
protocol: TLS
enabled-protocols: TLSv1.2
## 客户端配置
client-auth: NEED
trust-store: classpath:key/server.p12
trust-store-password: 123456
trust-store-type: JKS
trust-store-provider: SUN
Reference: < https://blog.csdn.net/BlackButton_CC/article/details/99956259 >
4. Create a route using the admin API. For details, see the problem description, the above problem will then recur.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1049437407
1. Prepare a Springboot service
2. Enable TLS, prepare server.p12 and client.p12, and use client.p12 to generate the client.cer, server.p12 trusts the client.cer
3. Sprintboot enable TLS configuration:
server:
port: 8090
ssl:
# 服务端配置
key-store-type: PKCS12
key-store: classpath:key/server.p12
key-store-password: 123456
key-alias: server
protocol: TLS
enabled-protocols: TLSv1.2
# 客户端配置
client-auth: NEED
trust-store: classpath:key/server.p12
trust-store-password: 123456
trust-store-type: JKS
trust-store-provider: SUN
Reference: < https://blog.csdn.net/BlackButton_CC/article/details/99956259 >
4. Create a route using the admin API. For details, see the problem description, the above problem will then recur.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1055171499
Can you upload successfully with the py scripts and certs of the official test cases?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong edited a comment on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong edited a comment on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1056336485
@tzssangglass
1.The certificate and key are ok. The verification is as follows:
[root@2d8f65f7ad67 tlsDir]# openssl x509 -in client.pem -pubkey -noout -outform pem | sha256sum
2ec0f9b02e96d824bc1c63179deacaea98320d9f94747070a5e0307a9c96ba1c -
[root@2d8f65f7ad67 tlsDir]# openssl pkey -in client.key -pubout -outform pem | sha256sum
2ec0f9b02e96d824bc1c63179deacaea98320d9f94747070a5e0307a9c96ba1c -
2.The certificate and the key I uploaded to github, you can use the admin API to test and see if you can reproduce:
https://github.com/zhukexingkong/SpringTest/tree/master/firstApplication/src/main/java/com/learn/apisixtls
3.I generated the certificate and key using the following command:
#server
keytool -genkey -alias server -keyalg RSA -keystore server.p12 -validity 360 -storepass 123456 -storetype PKCS12 -keysize 2048 -dname "CN=localhost, OU=localhost, O=localhost, L=CD, ST=CD, C=CN"
#client
keytool -genkey -alias client -keyalg RSA -keystore client.p12 -validity 360 -storepass 123456 -storetype PKCS12 -keysize 2048 -dname "CN=client, OU=client, O=client, L=CD, ST=CD, C=CN"
p12 to cer:
keytool -keystore client.p12 -export -alias client -file client.cer
Server trusts client certificates:
keytool -import -file client.cer -keystore server.p12
View the server key list:
keytool -list -keystore server.p12 -storepass 123456 -storetype PKCS12
p12 to key:
openssl pkcs12 -in client.p12 -nocerts -nodes -out client.key
p12 to crt:
openssl pkcs12 -in client.p12 -nokeys -out client.crt
crt to pem:
openssl x509 -in client.crt -out client.pem -outform PEM
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1056710422
> > > @tokers It is mTLS Between APISIX and Upstream, how do I config config.yaml? And I refer to the official document to use patch_upstream_mtls.py, and the error is as follows : Refer: https://apisix.apache.org/docs/apisix/mtls/#mtls-between-apisix-and-upstream
> > > 404 {"message":"Key not found"}
> >
> >
> > You can check out this: https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L147.
>
> The problem was solved. Now it is: [root@2d8f65f7ad67 tlsDir]# python ./patch_upstream_mtls.py 396932008539849406 ./client.pem ./client.key 400 {"error_msg":"failed to decrypt previous encrypted key"}
How did you solve it? Could you share your solution?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1055005166
> @bzp2010 After I configure TLS configuration for the route, the following error occurs when I access the route through APISIX, it is APISIX's error.log: 2022/03/01 11:20:39 [error] 25702#25702: *9204101 [lua] init.lua:520: http_access_phase(): failed to set upstream: need to build APISIX-OpenResty to support upstream mTLS, client: ::1, server: _, request: "GET /test/getUser?id=1 HTTP/1.1", host: "localhost:9080"
see: https://github.com/apache/apisix/discussions/4919#discussioncomment-1871921
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1054978339
@tokers
It is mTLS Between APISIX and Upstream, how do I config config.yaml? And I refer to the official document to use patch_upstream_mtls.py, and the error is as follows :
Refer: https://apisix.apache.org/docs/apisix/mtls/#mtls-between-apisix-and-upstream
404
{"message":"Key not found"}
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1055048279
@tzssangglass
1. This is the client key, I accessed the local service directly in the browser, which can do TLS authentication, but failed in APISIX.
2. I created upstream and then used upstream's ID for TLS creation,
command: python ./patch_upstream_mtls.py 396921614249231056 ./client.pem ./client.key
return:
{"error_msg":"failed to decrypt previous encrypted key"}
3.Why is the key and certificate correct, but APISIX reports an error?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1057615774
> > > > @tokers It is mTLS Between APISIX and Upstream, how do I config config.yaml? And I refer to the official document to use patch_upstream_mtls.py, and the error is as follows : Refer: https://apisix.apache.org/docs/apisix/mtls/#mtls-between-apisix-and-upstream
> > > > 404 {"message":"Key not found"}
> > >
> > >
> > > You can check out this: https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L147.
> >
> >
> > The problem was solved. Now it is: [root@2d8f65f7ad67 tlsDir]# python ./patch_upstream_mtls.py 396932008539849406 ./client.pem ./client.key 400 {"error_msg":"failed to decrypt previous encrypted key"}
>
> How did you solve it? Could you share your solution?
Openrestry cannot be successfully installed on ubuntu using yum command. I used centos7 directly.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong closed issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong closed issue #6429:
URL: https://github.com/apache/apisix/issues/6429
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong edited a comment on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong edited a comment on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1057625905
> I reproduced. You should delete the first paragraph of the client.key. like this:
>
> ```
> Bag Attributes
> friendlyName: client
> localKeyID: 54 69 6D 65 20 31 36 34 36 31 31 38 36 33 35 38 32 31
> Key Attributes: <No Attributes>
> ```
>
> And then, upload the file.
After I modifed the client.key, this is the result, the question is back to square one, the returned client key is inconsistent with the client.key:
[root@2d8f65f7ad67 tlsDir]# python ./patch_upstream_mtls.py 396932008539849406 ./client.crt ./client.key
201
{"node":{"key":"\/apisix\/upstreams\/396932008539849406","value":{"service_name":"resource-service","hash_on":"vars","type":"roundrobin","update_time":1646277329,"keepalive_pool":{"idle_timeout":60,"requests":1000,"size":320},"pass_host":"pass","scheme":"https","name":"TLSU","timeout":{"send":6,"read":6,"connect":6},"id":"396932008539849406","discovery_type":"nacos","tls":
{"client_key":"YnwwDKc5vNzo0OU4StTRQbwgCnTZ3dmYiBFm8aGnvTwyAh+Rz4EWXpJif7colyUhItBIvm962vfX5Me9G9WPJ7iM6UZHWEQx+9ZRQzJHIW8bk4p6790cHQXWM7KhuL2tThtkkjnPSC1ZSOHHZOuIu6cQoXSHc6QxmLnLHluRiZxEhpYbqLhFYDBOoO\/0pwcveMNS71Ccf7YVKIfcNtlFX9HYY+5ORcMAAdaZpEyNci1xjWFI7nJK3UvUy+Nv\/fJI0pDX14Vfy1NeSEsnGIp1pBq+hRhkEvnkEoY7+du94Gh7brlWCBFGnp64PD6iMzwuLJWr29V8n\/7OFkkzLyZzvPEQIrP490C37qcguSelFSMBP\/uwBCYdZnh5sIRloBqdMyTZuzvHOLbP6lKOF8EzrNmYlQbjLwvzTD1dlu1K4164xH0fhhrFF9RGq4NlKyepngu0XsAsVLGGp7MOzIGoa4PrDVLCU67QNrxmBvogQUFZP7Z4t2kab+gQcqEI8SYjY+ILmvbVv\/EEkS2QWAh\/ogwouylpHcfTAjvTYC1C1yMXRFDGeBWmmgohVmOlL3Tup\/mDaegV9LV6GFDa3\/Or\/Q0sZNR45+Obc5dLmS97wLLvsxcgFQU8OKrr\/1mZNefvMIm\/f7zlbm08VLGDhtWiHlIcTp468xHfY2YaDvimwDGK44qrtfe8aFD7qH\/H1e2nhIy6gbw6kWx0sfEPTSBns34Jhm1cz+Nmu22cIQ2U2N+AnoFEz7E4w0yovi+du+ajLNHqgZjU75e0dCRYN6Zx0D6AxI4L2qO6+HdvhlPDjDhIwcmFAlxZKp+pQWEPIkHJxa5mQ9pGlQ\/SdvWUCTY0bLUk+93Qkzy6JbY0qfpt34CE9\/bJcZC6lY\/ln3L\/JUW2hj2cGUc7MNwy2RscwH71z6fscpXGPAdX6WI9chuCGEZWXGDf58oWPoUmEqn4kZBfEBUk
jjg7mjvlXqSTQGFciBlWX\/d6\/dKDCEN5sN0jy5A96uDgDsle6sttsDwptyZShWPi+Fj9\/JXGSPflp42GU0igLNxnGy855XT5cJlyWQUtFUHA7bmKiyrbR1hFkNOxploZK+bt0fJYxlShQaHnusxOFuOpjvDxSSBq\/+7ktmCxp57p4BdzcYTsIKUWFfc3IslJWv5MaHJVaWjJ8LDIc+KA+bhzzRhtJUAora9CHr2k0tRB0m9MfzT+gyOBGSxTiHjaUyQR5D0ulTc4BoESn0vXg95XHljc2RA13l7doIsJD19to5s8YdxuzpqJNHQNPvYEuOtkfM0S5LkslpAxIyEFQWiTHeDOwR6WwKaTVDtZI8sSPDaa8xWcUrSo1kl1Hu2iWNad\/P8cQ\/11cdJ1zlkpAJ8JH6xeeo3uC8rMwoctini30PwdABHnu9lWh+WZ6bSXDIUc3c3qJpeeSztnTh4CU+ZzliwNCiQ6DLqK2M8Uy6x8HFeQ2cODvE7iqOdhwDInRPvY+8OSi3gTP2KIBOoGNkXmQqgWd65R8yAi004j3Sgt37SujmOSdcvtE4MtPWrAg2xvXq3lna0W+gREGOEYmS7uwqm7rmnoLc7\/KLCDsNWdt+\/HqSScMPHlbg+drrsOF+QJ3SQWMxB8mB4Jt1K1C0S43RKuVAhU96V16wd\/bCamxDvd6Mx7M4WxM2SLGnHqjMyFcC5mElD3Aa9\/CZ+TEfgNmdyIT2EMSpuucIQriIppN7NMcsQddchiB1l4Mqe4kweQVk21XwG\/eLKcdWFtrZ4Kbcwpt4wjESbBBUgQLwVITVr+2MiSAwMRVkRdxJvTlhdy8Ot6Utv4obRY5WseZCFFg9lm\/uj4gw79H9dvg6B1vu5i4NFYYXKfYZ0kyQ3bMHaSmUHUx2UfysZdf5mxa04v4LhNYjaHhjd3mO7dKAwcwt\/UvHU76umTbLVB9jZmFSkS+PFDg4vBFK+f6hK8FXmt
D\/QCVABQaFfUX0GBpatr43lIf0drisIIYfu7Oj1sFFRgUJWVqNxznQKQZY9u4M\/32q4dCEGz8bP4bbDGe8+iNOuKSPq2VcpTpxNzdZdyAHYdYCzFGoVmMBjw0q\/vcRHZStP6BeAC0Tv2ucZtHTKSf3mMpT5t9jbYPBPaUDhS+R41i4etN2VFh6ovoj+2WPrMJ0jygxREaaeudwgoGrvWeR6FxB78SXhhCBk8hN5YdRAaAZtsDKg6iL2G52TeIvuykeNMlbqd4ITUYT0T0fBNbgYeE96l7ZKyH0P4xWjxJPTug3elCVOnm7g1UM0hKygxZJpilNs3FfBGnQ0=",
"client_cert":"Bag Attributes\n friendlyName: client\n localKeyID: 54 69 6D 65 20 31 36 34 36 31 31 38 36 33 35 38 32 31 \nsubject=\/C=CN\/ST=CD\/L=CD\/O=client\/OU=client\/CN=client\nissuer=\/C=CN\/ST=CD\/L=CD\/O=client\/OU=client\/CN=client\n-----BEGIN CERTIFICATE-----\nMIIDUzCCAjugAwIBAgIEE5RMajANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJD\nTjELMAkGA1UECBMCQ0QxCzAJBgNVBAcTAkNEMQ8wDQYDVQQKEwZjbGllbnQxDzAN\nBgNVBAsTBmNsaWVudDEPMA0GA1UEAxMGY2xpZW50MB4XDTIyMDMwMTA3MTAzNVoX\nDTIzMDIyNDA3MTAzNVowWjELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAkNEMQswCQYD\nVQQHEwJDRDEPMA0GA1UEChMGY2xpZW50MQ8wDQYDVQQLEwZjbGllbnQxDzANBgNV\nBAMTBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIEGlxi0\nvFrEUFJQTiqiJNQUuj0RJ2y0NJB7tVSXjG6ujBygucAO9B1rUL5NJ1lx8Uz\/DIwH\nLogb4QfNoV5i+AltvIESs60EB818KKBFgdsNUlXGDc3Jq7Z3B30OMOc1es6WSrDJ\nODQwl6iyD+kNjsUuVciDv9K\/36gqAMFMKQEULegV3Wzb3F9hJ92p6SAwG7+HqszT\nc0amEbCr9NRBAykVj7dvly4dTaLnkLkvQ66d38d9+n2k4KdLwtkTe\/gNnE98Ppdy\neJdgz3b3cg7rNYjpsU6jDbP8RwgUnFV9VjpEqvmb+XL7c1jaBtYOw
IeGQedmBMx0\nnSNTv1\/XwGuHLCECAwEAAaMhMB8wHQYDVR0OBBYEFOu6GZvXCzoq06KrSD6nrh4n\nAVf5MA0GCSqGSIb3DQEBCwUAA4IBAQAOfBB3szjT6mTWjVkWVTi1Ul34lcGspIDH\ni0ZmeZJyD+zA0NOAPVUFhHjq0tw8Ns19L4OD+yRyZB+k\/8QIROoDG0RjOrFzP7oE\nMl0d3A08ot4qmnVcd7L0eab1QxGP1PPHm1a7F51gUoCPEYdNVOPmTFgfbE6i\/4Gh\n0oB8\/6ZFB9t2QAWrmfzjyM\/CEx3j53h4hcOYiqp7sw7zXPKuYJTpLXj4aZ8mVLF7\nwXuu+I3UQvAOJjssDJ05+WEFerDNlOLryV3QVrVDQW7hYfnmguVc59Fd1OKPirP3\noZ3fyrYEQQN0XOoPT1L+CYPNjY+h9lvGF4QHUr654diXtCFOh8gy\n-----END CERTIFICATE-----\n"},"discovery_args":{"namespace_id":"test","group_name":"test_group"},"create_time":1646119513}},"action":"compareAndSwap"}
[root@2d8f65f7ad67 tlsDir]# cat client.key
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCBBpcYtLxaxFBS
UE4qoiTUFLo9ESdstDSQe7VUl4xurowcoLnADvQda1C+TSdZcfFM/wyMBy6IG+EH
zaFeYvgJbbyBErOtBAfNfCigRYHbDVJVxg3Nyau2dwd9DjDnNXrOlkqwyTg0MJeo
sg/pDY7FLlXIg7/Sv9+oKgDBTCkBFC3oFd1s29xfYSfdqekgMBu/h6rM03NGphGw
q/TUQQMpFY+3b5cuHU2i55C5L0Ound/Hffp9pOCnS8LZE3v4DZxPfD6XcniXYM92
93IO6zWI6bFOow2z/EcIFJxVfVY6RKr5m/ly+3NY2gbWDsCHhkHnZgTMdJ0jU79f
18BrhywhAgMBAAECggEAW7NFXAfH/nKb64SrqV1H83svygsRDA8fdLiXbaGv61Ie
vpH0sm1uTiJhZn8LQmTa7LAwSK0qAw5dZuBcmeqZAop9ePbDwGmm6gIeFZqQ6hCT
veZfFS0J30rFhbm6Q/kcaQsj1nWMfnsyrnCvIiHCoJ2H1lTc1noMCUag9sCcO+kL
SAUGu0KA2EtIJMWfDjXcHMKcoRC4nwysCAjMVZ0C0QlwL1VGPzdgGCLAt4E8xJyB
VA+x59rTuMPAQM0xk5mUgJlA3iwNmdu3vKlBN3iV4YlJeFmxokpe8pytOACzGsfY
akbicVY9lZaNHchLW8jkhM9ARe2gX8ndRs29alwOyQKBgQC2oHf38bAm7jaVYm4W
HP5is/ZPC0JwXb4OVR5rfHzhuDDN32Np5XniMbdQAgy9unppY89XuOdG/MQ98Ded
/Vj8zZjiKMrl8hs+P30hLs1wvwf5yDt0u8G6vLMLt4BZwNecZuByjVBA3pXAdMQn
KE4GsWkbvwiv1q1QHxqsSiV4xwKBgQC03SS++TZ7C+eHFQGnZVm+e6Q2rkoc14gF
tMMOWPqYXdeuPYrmCjQ/SeiF9Fy/f8+Ul9iX+f6OYRe19Es9OS30pyGlfYWprMtS
7qMkXRP3lVqgdxMy2ePP1joi682i4Pq4I9Ls9aXWv2hZCwyHvWaB3DFnWP6KcBDp
SS+jquBb1wKBgQCLVXjSWbpMqXhJlvRouKw5ABaPDgcdldfYNYbk+PCKgi3yFFpT
w/mu4sF6MGYqJukYGUdrJS6HEXhjzS+RwWYwUmgvPHI45/NzFZtRQtUJDSZ3oxYB
pPJUl31/Ffy9/YxCzpa1ry0ooOneEPhK68xD/P01ZxWomoBWXbTK+DMIpwKBgQCF
iZIL/u0exJdZwUTLV6V/YsLILL9DtE8WB3TNLx03SnJoj7/yQS56XBN2dAnWyoN1
bvfYnhg4/68GBS1YMtOfg5bwHVGHCbHFtbR2sNKBRqD3QXPHY+E0HzQlfH0D+aCk
PK8LjgO4HvLoa6QAxPLehrljWO33QO77j7HA4fVtWQKBgASiriIlYFcJKqs2q+OH
fKGmzxDyM4Cq5+IkmcyjwoGWgt8CZR0YaiJgPt/CMviS0KlT3Pzp/SQdsZf/MiEX
zENi+e0YeRW8+MYfKB6Jox2616oOV/SxWCWSfNE54llnmk+MMam49PtYTV3nrRPa
Yl+YJnXe14Lmg8Z22tojoXj1
-----END PRIVATE KEY-----
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong edited a comment on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong edited a comment on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1049437407
@tzssangglass
1. Prepare a Springboot service
2. Enable TLS, prepare server.p12 and client.p12, and use client.p12 to generate the client.cer, server.p12 trusts the client.cer
3. Sprintboot enable TLS configuration:
server:
port: 8090
ssl:
key-store-type: PKCS12
key-store: classpath:key/server.p12
key-store-password: 123456
key-alias: server
protocol: TLS
enabled-protocols: TLSv1.2
client-auth: NEED
trust-store: classpath:key/server.p12
trust-store-password: 123456
trust-store-type: JKS
trust-store-provider: SUN
Reference: < https://blog.csdn.net/BlackButton_CC/article/details/99956259 >
4. Create a route using the admin API. For details, see the problem description, the above problem will then recur.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong edited a comment on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong edited a comment on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1049437407
@tzssangglass
1. Prepare a Springboot service
2. Enable TLS, prepare server.p12 and client.p12, and use client.p12 to generate the client.cer, server.p12 trusts the client.cer
3. Sprintboot enable TLS configuration:
server:
port: 8090
ssl:
key-store-type: PKCS12
key-store: classpath:key/server.p12
key-store-password: 123456
key-alias: server
protocol: TLS
enabled-protocols: TLSv1.2
client-auth: NEED
trust-store: classpath:key/server.p12
trust-store-password: 123456
trust-store-type: JKS
trust-store-provider: SUN
Reference: < https://blog.csdn.net/BlackButton_CC/article/details/99956259 >
4. Create a route using the admin API. For details, see the Issue description, the above problem will then recur.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1049673295
> @tokers When I query the route list after creating a route in Dashboard, the error. Log of Dashboard shows the following information: 2022-02-24T09:55:32.577+0800 WARN store/store.go:154 data not found by key: 396174040680628944
@bzp2010 Please take a look when you have time, I'm not sure whether this error will cause the `500 Internal Error`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1049860469
> 4\. Create a route using the admin API. For details, see the Issue description, the above problem will then recur.
Are you sure the route you found on the dashboard is the one you set up via admin-api? It looks like it's two.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1057621767
> I reproduced. You should delete the first paragraph of the client.key. like this:
>
> ```
> Bag Attributes
> friendlyName: client
> localKeyID: 54 69 6D 65 20 31 36 34 36 31 31 38 36 33 35 38 32 31
> Key Attributes: <No Attributes>
> ```
>
> And then, upload the file.
Error reporting is back to square one.
When I modified the client.key, the following error occurred. If config.yaml needs to be modified if upstream enables TLS, I will do so, but the official document does not seem to indicate that needs to modify config.yaml for upstream TLS.
[root@2d8f65f7ad67 tlsDir]# python ./patch_upstream_mtls.py 396921614249231056 ./client.pem ./client.key
404
{"message":"Key not found"}
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] soulbird commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
soulbird commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1057641504
Yes, but this does not affect the establishment of connections with upstream. In fact, if file format of the client key is `pem`, we will encrypt when we save the config to ETCD for safety consideration. We also use the origin client key when establishing connection with upstream. As you see, the `client_key` in the response is nconsistent with the origin client.key.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1054975771
I was installed by source code, in ubuntu.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1055052516
I use the following command to build APISIX-OpenResty and succeed:
sudo yum install -y https://repos.apiseven.com/packages/centos/apache-apisix-repo-1.0-1.noarch.rpm
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] bzp2010 commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
bzp2010 commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1053972964
Hi, @zhukexingkong
I repeat, these are the APISIX dashboard logs and not APISIX, and this error does not cause an error to be reported, you need to provide the APISIX's log.
```text
2022-02-28T10:26:57.004+0800 WARN store/store.go:154 data not found by key: 395051487660606160
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong edited a comment on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong edited a comment on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1056336485
@tzssangglass
1.The certificate and key are ok. The verification is as follows:
[root@2d8f65f7ad67 tlsDir]# openssl x509 -in client.pem -pubkey -noout -outform pem | sha256sum
2ec0f9b02e96d824bc1c63179deacaea98320d9f94747070a5e0307a9c96ba1c -
[root@2d8f65f7ad67 tlsDir]# openssl pkey -in client.key -pubout -outform pem | sha256sum
2ec0f9b02e96d824bc1c63179deacaea98320d9f94747070a5e0307a9c96ba1c -
2.The certificate and the key I uploaded to github, you can use the admin API to test and see if you can reproduce:
https://github.com/zhukexingkong/SpringTest/tree/master/firstApplication/src/main/java/com/learn/apisixtls
3.I generated the certificate and key using the following command:
-server
keytool -genkey -alias server -keyalg RSA -keystore server.p12 -validity 360 -storepass 123456 -storetype PKCS12 -keysize 2048 -dname "CN=localhost, OU=localhost, O=localhost, L=CD, ST=CD, C=CN"
-client
keytool -genkey -alias client -keyalg RSA -keystore client.p12 -validity 360 -storepass 123456 -storetype PKCS12 -keysize 2048 -dname "CN=client, OU=client, O=client, L=CD, ST=CD, C=CN"
p12 to cer:
keytool -keystore client.p12 -export -alias client -file client.cer
Server trusts client certificates:
keytool -import -file client.cer -keystore server.p12
View the server key list:
keytool -list -keystore server.p12 -storepass 123456 -storetype PKCS12
p12 to key:
openssl pkcs12 -in client.p12 -nocerts -nodes -out client.key
p12 to crt:
openssl pkcs12 -in client.p12 -nokeys -out client.crt
crt to pem:
openssl x509 -in client.crt -out client.pem -outform PEM
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong edited a comment on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong edited a comment on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1055048279
@tzssangglass
1. This is the client key, I accessed the local service directly in the browser, which can do TLS authentication, but failed in APISIX.
2. I created upstream and then used upstream's ID for TLS creation,
command: python ./patch_upstream_mtls.py 396921614249231056 ./client.pem ./client.key
return:
{"error_msg":"failed to decrypt previous encrypted key"}
APISIX error.log:
2022/03/01 07:36:21 [error] 3002#3002: *198878674 [lua] ssl.lua:92: aes_decrypt_pkey(): base64 decode ssl key failed. key[Bag Attributes
friendlyName: client
localKeyID: 54 69 6D 65 20 31 36 34 36 31 31 38 36 33 35 38 32 31
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCBBpcYtLxaxFBS
UE4qoiTUFLo9ESdstDSQe7VUl4xurowcoLnADvQda1C+TSdZcfFM/wyMBy6IG+EH
zaFeYvgJbbyBErOtBAfNfCigRYHbDVJVxg3Nyau2dwd9DjDnNXrOlkqwyTg0MJeo
sg/pDY7FLlXIg7/Sv9+oKgDBTCkBFC3oFd1s29xfYSfdqekgMBu/h6rM03NGphGw
q/TUQQMpFY+3b5cuHU2i55C5L0Ound/Hffp9pOCnS8LZE3v4DZxPfD6XcniXYM92
93IO6zWI6bFOow2z/EcIFJxVfVY6RKr5m/ly+3NY2gbWDsCHhkHnZgTMdJ0jU79f
18BrhywhAgMBAAECggEAW7NFXAfH/nKb64SrqV1H83svygsRDA8fdLiXbaGv61Ie
vpH0sm1uTiJhZn8LQmTa7LAwSK0qAw5dZuBcmeqZAop9ePbDwGmm6gIeFZqQ6hCT
veZfFS0J30rFhbm6Q/kcaQsj1nWMfnsyrnCvIiHCoJ2H1lTc1noMCUag9sCcO+kL
SAUGu0KA2EtIJMWfDjXcHMKcoRC4nwysCAjMVZ0C0QlwL1VGPzdgGCLAt4E8xJyB
VA+x59rTuMPAQM0xk5mUgJlA3iwNmdu3vKlBN3iV4YlJeFmxokpe8pytOACzGsfY
akbicVY9lZaNHchLW8jkhM9ARe2gX8ndRs29alwOyQKBgQC2oHf38bAm7jaVYm4W
HP5is/ZPC0JwXb4OVR5rfHzhuDDN32Np5XniMbdQAgy9unppY89XuOdG/MQ98Ded
/Vj8zZjiKMrl8hs+P30hLs1wvwf5yDt0u8G6vLMLt4BZwNecZuByjVBA3pXAdMQn
KE4GsWkbvwiv1q1QHxqsSiV4xwKBgQC03SS++TZ7C+eHFQGnZVm+e6Q2rkoc14gF
tMMOWPqYXdeuPYrmCjQ/SeiF9Fy/f8+Ul9iX+f6OYRe19Es9OS30pyGlfYWprMtS
7qMkXRP3lVqgdxMy2ePP1joi682i4Pq4I9Ls9aXWv2hZCwyHvWaB3DFnWP6KcBDp
SS+jquBb1wKBgQCLVXjSWbpMqXhJlvRouKw5ABaPDgcdldfYNYbk+PCKgi3yFFpT
w/mu4sF6MGYqJukYGUdrJS6HEXhjzS+RwWYwUmgvPHI45/NzFZtRQtUJDSZ3oxYB
pPJUl31/Ffy9/YxCzpa1ry0ooOneEPhK68xD/P01ZxWomoBWXbTK+DMIpwKBgQCF
iZIL/u0exJdZwUTLV6V/YsLILL9DtE8WB3TNLx03SnJoj7/yQS56XBN2dAnWyoN1
bvfYnhg4/68GBS1YMtOfg5bwHVGHCbHFtbR2sNKBRqD3QXPHY+E0HzQlfH0D+aCk
PK8LjgO4HvLoa6QAxPLehrljWO33QO77j7HA4fVtWQKBgASiriIlYFcJKqs2q+OH
fKGmzxDyM4Cq5+IkmcyjwoGWgt8CZR0YaiJgPt/CMviS0KlT3Pzp/SQdsZf/MiEX
zENi+e0YeRW8+MYfKB6Jox2616oOV/SxWCWSfNE54llnmk+MMam49PtYTV3nrRPa
Yl+YJnXe14Lmg8Z22tojoXj1
-----END PRIVATE KEY-----
] , client: 127.0.0.1, server: _, request: "PATCH /apisix/admin/upstreams/396932008539849406 HTTP/1.1", host: "127.0.0.1:9080"
3.Why is the key and certificate correct, but APISIX reports an error?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] zhukexingkong edited a comment on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
zhukexingkong edited a comment on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1057621767
> I reproduced. You should delete the first paragraph of the client.key. like this:
>
> ```
> Bag Attributes
> friendlyName: client
> localKeyID: 54 69 6D 65 20 31 36 34 36 31 31 38 36 33 35 38 32 31
> Key Attributes: <No Attributes>
> ```
>
> And then, upload the file.
Error reporting is back to square one.
When I modified the client.key, the following error occurred. If config.yaml needs to be modified if upstream enables TLS, I will do so, but the official document does not seem to indicate that needs to modify config.yaml for upstream TLS.
Note: the system is centos7
[root@2d8f65f7ad67 tlsDir]# python ./patch_upstream_mtls.py 396921614249231056 ./client.pem ./client.key
404
{"message":"Key not found"}
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] soulbird commented on issue #6429: request help: A TLS API is routed, but the Client Key is different from the original one
Posted by GitBox <gi...@apache.org>.
soulbird commented on issue #6429:
URL: https://github.com/apache/apisix/issues/6429#issuecomment-1057763061
> I noticed that client. key was also displayed as an encrypted string in the APISIX Dashboard, but if I pasted in APISIX dashboard with the original contents of client.key, can also succeed.
Yes, we can identify and parse out the original certificate.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org