You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2020/12/14 08:34:40 UTC
[GitHub] [apisix] liyin37 opened a new issue #3037: after configoure the SSL,log error
liyin37 opened a new issue #3037:
URL: https://github.com/apache/apisix/issues/3037
2020/12/14 07:41:54 [error] 50#50: *40483 [lua] init.lua:180: http_ssl_phase(): failed to fetch ssl config: failed to fetch SSL certificate: not found, context: ssl_certificate_by_lua*, client: 10.112.0.116, server: 0.0.0.0:9443
2020/12/14 07:41:54 [error] 49#49: *40484 [lua] init.lua:180: http_ssl_phase(): failed to fetch ssl config: failed to fetch SSL certificate: not found, context: ssl_certificate_by_lua*, client: 10.112.0.116, server: 0.0.0.0:9443
2020/12/14 07:41:54 [error] 55#55: *40496 [lua] init.lua:180: http_ssl_phase(): failed to fetch ssl config: failed to fetch SSL certificate: not found, context: ssl_certificate_by_lua*, client: 10.112.0.116, server: 0.0.0.0:9443
2020/12/14 07:41:54 [error] 55#55: *40497 [lua] init.lua:180: http_ssl_phase(): failed to fetch ssl config: failed to fetch SSL certificate: not found, context: ssl_certificate_by_lua*, client: 10.112.0.116, server: 0.0.0.0:9443
the config.yaml is below:
``` yaml
apisix:
node_listen: 9080 # APISIX listening port
enable_ipv6: false
allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
- 0.0.0.0/0 # We need to restrict ip access rules for security. 0.0.0.0/0 is for test.
admin_key:
- name: "admin"
key: edd1c9f034335f136f87ad84b625c8f1
role: admin # admin: manage all configuration data
# viewer: only can view configuration data
- name: "viewer"
key: 4054f7cf07e344346cd3f287985e76a2
role: viewer
ssl:
enable: true # ssl is disabled by default
# enable it to use your own cert and key
enable_http2: true
listen_port: 9443
ssl_trusted_certificate: /usr/local/apisix/conf/cert/ca.pem # Specifies a file path with trusted CA certificates in the PEM format
# used to verify the certificate when APISIX needs to do SSL/TLS handshaking
# with external services (e.g. etcd)
ssl_cert: /usr/local/apisix/conf/cert/server.pem
ssl_cert_key: /usr/local/apisix/conf/cert/server.key
ssl_protocols: "TLSv1.2 TLSv1.3"
ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
ssl_session_tickets: false # disable ssl_session_tickets by default for 'ssl_session_tickets' would make Perfect Forward Secrecy useless.
# ref: https://github.com/mozilla/server-side-tls/issues/135
key_encrypt_salt: "edd1c9f0985e76a2" # If not set, will save origin ssl key into etcd.
# If set this, must be a string of length 16. And it will encrypt ssl key with AES-128-CBC
# !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !!
etcd:
host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster.
- "http://gistack-etcd:2379" # multiple etcd address
prefix: "/apisix" # apisix configurations prefix
timeout: 30 # 30 seconds
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] nic-chen commented on issue #3037: after configoure the SSL,log error
Posted by GitBox <gi...@apache.org>.
nic-chen commented on issue #3037:
URL: https://github.com/apache/apisix/issues/3037#issuecomment-745694245
@liyin37
hi,how do you config your SSL?
and what is the SSL data saved in ETCD?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] liyin37 commented on issue #3037: after configoure the SSL,log error
Posted by GitBox <gi...@apache.org>.
liyin37 commented on issue #3037:
URL: https://github.com/apache/apisix/issues/3037#issuecomment-744325644
apisix version:2.1
how to reproduce this issue
use the default examples docker-compose.yaml deploy it
your OS version: CentOS7.6
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] idbeta commented on issue #3037: after configoure the SSL,log error
Posted by GitBox <gi...@apache.org>.
idbeta commented on issue #3037:
URL: https://github.com/apache/apisix/issues/3037#issuecomment-745981925
you could use `etcdctl get --prefix "/apisix/ssl"` to check if the SSL is saved into the etcd. @liyin37
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] idbeta commented on issue #3037: after configoure the SSL,log error
Posted by GitBox <gi...@apache.org>.
idbeta commented on issue #3037:
URL: https://github.com/apache/apisix/issues/3037#issuecomment-746003372
i think the reason should be your ssl certificate is not set into apisix. @liyin37
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] idbeta edited a comment on issue #3037: after configoure the SSL,log error
Posted by GitBox <gi...@apache.org>.
idbeta edited a comment on issue #3037:
URL: https://github.com/apache/apisix/issues/3037#issuecomment-746003372
i think the reason should be your ssl certificate is not set into apisix. @liyin37
you can see https://github.com/apache/apisix/blob/master/doc/zh-cn/admin-api.md#ssl
It will be more convenient if you use [dashboard](https://github.com/apache/apisix-dashboard/).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] github-actions[bot] commented on issue #3037: after configoure the SSL,log error
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on issue #3037:
URL: https://github.com/apache/apisix/issues/3037#issuecomment-996590392
This issue has been closed due to lack of activity. If you think that is incorrect, or the issue requires additional review, you can revive the issue at any time.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] github-actions[bot] closed issue #3037: after configoure the SSL,log error
Posted by GitBox <gi...@apache.org>.
github-actions[bot] closed issue #3037:
URL: https://github.com/apache/apisix/issues/3037
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #3037: after configoure the SSL,log error
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #3037:
URL: https://github.com/apache/apisix/issues/3037#issuecomment-744276474
@liyin37
Your client doesn't send SNI in the ClientHello. I guess it is because your client requested APISIX via IP directly. The RFC requires the SNI should not be an IP, so in this case the client won't send the SNI.
You need to provide the packet capture file of TLS handshake to confirm this.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] liyin37 commented on issue #3037: after configoure the SSL,log error
Posted by GitBox <gi...@apache.org>.
liyin37 commented on issue #3037:
URL: https://github.com/apache/apisix/issues/3037#issuecomment-745170728
@gxthrj @membphis do you have answers?please help me,I try to use the SSL domain ,but the error is the same
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] github-actions[bot] commented on issue #3037: after configoure the SSL,log error
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on issue #3037:
URL: https://github.com/apache/apisix/issues/3037#issuecomment-984480703
This issue has been marked as stale due to 350 days of inactivity. It will be closed in 2 weeks if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the dev@apisix.apache.org list. Thank you for your contributions.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] liyin37 commented on issue #3037: after configoure the SSL,log error
Posted by GitBox <gi...@apache.org>.
liyin37 commented on issue #3037:
URL: https://github.com/apache/apisix/issues/3037#issuecomment-746053486
@spacewander
thanks,the ssl certificate is gisuni.dev
I use domain to curl it :
curl "https://gisuni.dev:9443/apisix/admin/services/" -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1'
the error.log is below:
2020/12/16 10:25:39 [error] 52#52: *22348 [lua] radixtree_sni.lua:219: match_and_set(): failed to find any SSL certificate by SNI: gisuni.dev, context: ssl_certificate_by_lua*, client: 192.168.198.124, server: 0.0.0.0:9443
2020/12/16 10:26:03 [error] 52#52: *25329 [lua] radixtree_sni.lua:219: match_and_set(): failed to find any SSL certificate by SNI: gisuni.dev, context: ssl_certificate_by_lua*, client: 192.168.198.124, server: 0.0.0.0:9443
2020/12/16 10:26:04 [error] 53#53: *25429 [lua] radixtree_sni.lua:219: match_and_set(): failed to find any SSL certificate by SNI: gisuni.dev, context: ssl_certificate_by_lua*, client: 192.168.198.124, server: 0.0.0.0:9443
I have comment out the
# key_encrypt_salt: "edd1c9f0985e76a2"
in config.yaml,the new config.yaml is :
apisix:
node_listen: 9080 # APISIX listening port
enable_ipv6: false
allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
- 0.0.0.0/0 # We need to restrict ip access rules for security. 0.0.0.0/0 is for test.
admin_key:
- name: "admin"
key: edd1c9f034335f136f87ad84b625c8f1
role: admin # admin: manage all configuration data
# viewer: only can view configuration data
- name: "viewer"
key: 4054f7cf07e344346cd3f287985e76a2
role: viewer
router:
http: 'radixtree_uri' # radixtree_uri: match route by uri(base on radixtree)
# radixtree_host_uri: match route by host + uri(base on radixtree)
ssl: 'radixtree_sni' # radixtree_sni: match route by SNI(base on radixtree)
ssl:
enable: true # ssl is disabled by default
# enable it to use your own cert and key
enable_http2: true
listen_port: 9443
# ssl_trusted_certificate: /usr/local/apisix/conf/cert/ca.pem # Specifies a file path with trusted CA certificates in the PEM format
# used to verify the certificate when APISIX needs to do SSL/TLS handshaking
# with external services (e.g. etcd)
ssl_cert: /usr/local/apisix/conf/cert/server.pem
ssl_cert_key: /usr/local/apisix/conf/cert/server.key
ssl_protocols: "TLSv1.2 TLSv1.3"
ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
ssl_session_tickets: false # disable ssl_session_tickets by default for 'ssl_session_tickets' would make Perfect Forward Secrecy useless.
# ref: https://github.com/mozilla/server-side-tls/issues/135
# key_encrypt_salt: "edd1c9f0985e76a2" # If not set, will save origin ssl key into etcd.
# If set this, must be a string of length 16. And it will encrypt ssl key with AES-128-CBC
# !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !!
etcd:
host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster.
- "http://0.0.0.0:2379" # multiple etcd address
prefix: "/apisix" # apisix configurations prefix
timeout: 30 # 30 seconds
the certificate is nginx file
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #3037: after configoure the SSL,log error
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #3037:
URL: https://github.com/apache/apisix/issues/3037#issuecomment-745171328
You need to provide the packet capture file of TLS handshake.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] membphis commented on issue #3037: after configoure the SSL,log error
Posted by GitBox <gi...@apache.org>.
membphis commented on issue #3037:
URL: https://github.com/apache/apisix/issues/3037#issuecomment-744337246
@gxthrj do you have time to look at this issue?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] liyin37 commented on issue #3037: after configoure the SSL,log error
Posted by GitBox <gi...@apache.org>.
liyin37 commented on issue #3037:
URL: https://github.com/apache/apisix/issues/3037#issuecomment-744328343
the docker-compose.yaml is :
version: "3"
services:
apisix:
container_name: gistack-apisix
image: apache/apisix:2.1-centos
restart: always
volumes:
- /data/apisix/apisix_log:/usr/local/apisix/logs
- $PWD/common/config/apisix_conf/config.yaml:/usr/local/apisix/conf/config.yaml:ro
- $PWD/common/ssl:/usr/local/apisix/conf/cert:ro
depends_on:
- etcd
# network_mode: host
ports:
- "9080:9080/tcp"
- "9443:9443/tcp"
etcd:
container_name: gistack-etcd
image: bitnami/etcd:3.4.9
user: root
restart: always
volumes:
- /data/apisix/etcd_data:/etcd_data
environment:
ETCD_DATA_DIR: /etcd_data
ETCD_ENABLE_V2: "true"
ALLOW_NONE_AUTHENTICATION: "yes"
ETCD_ADVERTISE_CLIENT_URLS: "http://0.0.0.0:2379"
ETCD_LISTEN_CLIENT_URLS: "http://0.0.0.0:2379"
# network_mode: host
ports:
- "2379:2379/tcp"
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #3037: after configoure the SSL,log error
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #3037:
URL: https://github.com/apache/apisix/issues/3037#issuecomment-746009306
>
>
> @nic-chen @spacewander
> the packet capture is :
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
> 17:06:39.007429 IP 192.168.198.124.42534 > 192.168.199.232.tungsten-https: Flags [S], seq 885285712, win 29200, options [mss 1460,sackOK,TS val 97301020 ecr 0,nop,wscale 7], length 0
> 17:06:39.007764 IP 192.168.199.232.tungsten-https > 192.168.198.124.42534: Flags [S.], seq 2085634511, ack 885285713, win 28960, options [mss 1460,sackOK,TS val 2941101919 ecr 97301020,nop,wscale 7], length 0
> 17:06:39.008478 IP 192.168.198.124.42534 > 192.168.199.232.tungsten-https: Flags [.], ack 1, win 229, options [nop,nop,TS val 97301021 ecr 2941101919], length 0
> 17:06:39.187906 IP 192.168.198.124.42534 > 192.168.199.232.tungsten-https: Flags [P.], seq 1:172, ack 1, win 229, options [nop,nop,TS val 97301200 ecr 2941101919], length 171
> 17:06:39.188150 IP 192.168.199.232.tungsten-https > 192.168.198.124.42534: Flags [.], ack 172, win 235, options [nop,nop,TS val 2941102099 ecr 97301200], length 0
> 17:06:39.188991 IP 192.168.199.232.tungsten-https > 192.168.198.124.42534: Flags [P.], seq 1:8, ack 172, win 235, options [nop,nop,TS val 2941102100 ecr 97301200], length 7
> 17:06:39.189161 IP 192.168.199.232.tungsten-https > 192.168.198.124.42534: Flags [F.], seq 8, ack 172, win 235, options [nop,nop,TS val 2941102100 ecr 97301200], length 0
> 17:06:39.189433 IP 192.168.198.124.42534 > 192.168.199.232.tungsten-https: Flags [.], ack 8, win 229, options [nop,nop,TS val 97301202 ecr 2941102100], length 0
> 17:06:39.190444 IP 192.168.198.124.42534 > 192.168.199.232.tungsten-https: Flags [F.], seq 172, ack 9, win 229, options [nop,nop,TS val 97301203 ecr 2941102100], length 0
> 17:06:39.190547 IP 192.168.199.232.tungsten-https > 192.168.198.124.42534: Flags [.], ack 173, win 235, options [nop,nop,TS val 2941102102 ecr 97301203], length 0
>
> config.yaml is below:
> ssl:
> enable: true # ssl is disabled by default
> # enable it to use your own cert and key
> enable_http2: true
> listen_port: 9443
> ssl_trusted_certificate: /usr/local/apisix/conf/cert/ca.pem # Specifies a file path with trusted CA certificates in the PEM format
> # used to verify the certificate when APISIX needs to do SSL/TLS handshaking
> # with external services (e.g. etcd)
> ssl_cert: /usr/local/apisix/conf/cert/server.pem
> ssl_cert_key: /usr/local/apisix/conf/cert/server.key
> ssl_protocols: "TLSv1.2 TLSv1.3"
> ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
> ssl_session_tickets: false # disable ssl_session_tickets by default for 'ssl_session_tickets' would make Perfect Forward Secrecy useless.
> # ref: [mozilla/server-side-tls#135](https://github.com/mozilla/server-side-tls/issues/135)
> key_encrypt_salt: "edd1c9f0985e76a2" # If not set, will save origin ssl key into etcd.
> # If set this, must be a string of length 16. And it will encrypt ssl key with AES-128-CBC
> # !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !!
This is not a packet capture file. This is a summary of each packet. You should use `tcpdump -w $filename` to get the capture file.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] liyin37 commented on issue #3037: after configoure the SSL,log error
Posted by GitBox <gi...@apache.org>.
liyin37 commented on issue #3037:
URL: https://github.com/apache/apisix/issues/3037#issuecomment-745959551
@spacewander
come to 192.168.198.124 connect:
curl "https://192.168.199.232:9443/apisix/admin/services/" -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1'
curl: (35) Peer reports it experienced an internal error.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] liyin37 edited a comment on issue #3037: after configoure the SSL,log error
Posted by GitBox <gi...@apache.org>.
liyin37 edited a comment on issue #3037:
URL: https://github.com/apache/apisix/issues/3037#issuecomment-745990801
@idbeta
I exec it in etcd docker ,the result is:
root@80bea728700b:/opt/bitnami/etcd/bin# ./etcdctl get --prefix "/apisix/ssl"
/apisix/ssl/
init_dir
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] liyin37 edited a comment on issue #3037: after configoure the SSL,log error
Posted by GitBox <gi...@apache.org>.
liyin37 edited a comment on issue #3037:
URL: https://github.com/apache/apisix/issues/3037#issuecomment-744328343
the docker-compose.yaml is :
```yaml
version: "3"
services:
apisix:
container_name: gistack-apisix
image: apache/apisix:2.1-centos
restart: always
volumes:
- /data/apisix/apisix_log:/usr/local/apisix/logs
- $PWD/common/config/apisix_conf/config.yaml:/usr/local/apisix/conf/config.yaml:ro
- $PWD/common/ssl:/usr/local/apisix/conf/cert:ro
depends_on:
- etcd
# network_mode: host
ports:
- "9080:9080/tcp"
- "9443:9443/tcp"
etcd:
container_name: gistack-etcd
image: bitnami/etcd:3.4.9
user: root
restart: always
volumes:
- /data/apisix/etcd_data:/etcd_data
environment:
ETCD_DATA_DIR: /etcd_data
ETCD_ENABLE_V2: "true"
ALLOW_NONE_AUTHENTICATION: "yes"
ETCD_ADVERTISE_CLIENT_URLS: "http://0.0.0.0:2379"
ETCD_LISTEN_CLIENT_URLS: "http://0.0.0.0:2379"
# network_mode: host
ports:
- "2379:2379/tcp"
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] liyin37 commented on issue #3037: after configoure the SSL,log error
Posted by GitBox <gi...@apache.org>.
liyin37 commented on issue #3037:
URL: https://github.com/apache/apisix/issues/3037#issuecomment-745990801
@idbeta
etcdctl get --prefix "/apisix/ssl"
this command how to exec ,it is in docker
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] liyin37 commented on issue #3037: after configoure the SSL,log error
Posted by GitBox <gi...@apache.org>.
liyin37 commented on issue #3037:
URL: https://github.com/apache/apisix/issues/3037#issuecomment-745957292
@nic-chen @spacewander
the packet capture is :
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
17:06:39.007429 IP 192.168.198.124.42534 > 192.168.199.232.tungsten-https: Flags [S], seq 885285712, win 29200, options [mss 1460,sackOK,TS val 97301020 ecr 0,nop,wscale 7], length 0
17:06:39.007764 IP 192.168.199.232.tungsten-https > 192.168.198.124.42534: Flags [S.], seq 2085634511, ack 885285713, win 28960, options [mss 1460,sackOK,TS val 2941101919 ecr 97301020,nop,wscale 7], length 0
17:06:39.008478 IP 192.168.198.124.42534 > 192.168.199.232.tungsten-https: Flags [.], ack 1, win 229, options [nop,nop,TS val 97301021 ecr 2941101919], length 0
17:06:39.187906 IP 192.168.198.124.42534 > 192.168.199.232.tungsten-https: Flags [P.], seq 1:172, ack 1, win 229, options [nop,nop,TS val 97301200 ecr 2941101919], length 171
17:06:39.188150 IP 192.168.199.232.tungsten-https > 192.168.198.124.42534: Flags [.], ack 172, win 235, options [nop,nop,TS val 2941102099 ecr 97301200], length 0
17:06:39.188991 IP 192.168.199.232.tungsten-https > 192.168.198.124.42534: Flags [P.], seq 1:8, ack 172, win 235, options [nop,nop,TS val 2941102100 ecr 97301200], length 7
17:06:39.189161 IP 192.168.199.232.tungsten-https > 192.168.198.124.42534: Flags [F.], seq 8, ack 172, win 235, options [nop,nop,TS val 2941102100 ecr 97301200], length 0
17:06:39.189433 IP 192.168.198.124.42534 > 192.168.199.232.tungsten-https: Flags [.], ack 8, win 229, options [nop,nop,TS val 97301202 ecr 2941102100], length 0
17:06:39.190444 IP 192.168.198.124.42534 > 192.168.199.232.tungsten-https: Flags [F.], seq 172, ack 9, win 229, options [nop,nop,TS val 97301203 ecr 2941102100], length 0
17:06:39.190547 IP 192.168.199.232.tungsten-https > 192.168.198.124.42534: Flags [.], ack 173, win 235, options [nop,nop,TS val 2941102102 ecr 97301203], length 0
config.yaml is below:
ssl:
enable: true # ssl is disabled by default
# enable it to use your own cert and key
enable_http2: true
listen_port: 9443
ssl_trusted_certificate: /usr/local/apisix/conf/cert/ca.pem # Specifies a file path with trusted CA certificates in the PEM format
# used to verify the certificate when APISIX needs to do SSL/TLS handshaking
# with external services (e.g. etcd)
ssl_cert: /usr/local/apisix/conf/cert/server.pem
ssl_cert_key: /usr/local/apisix/conf/cert/server.key
ssl_protocols: "TLSv1.2 TLSv1.3"
ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
ssl_session_tickets: false # disable ssl_session_tickets by default for 'ssl_session_tickets' would make Perfect Forward Secrecy useless.
# ref: https://github.com/mozilla/server-side-tls/issues/135
key_encrypt_salt: "edd1c9f0985e76a2" # If not set, will save origin ssl key into etcd.
# If set this, must be a string of length 16. And it will encrypt ssl key with AES-128-CBC
# !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org