You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by "thor533 (via GitHub)" <gi...@apache.org> on 2023/04/07 09:48:09 UTC
[GitHub] [apisix] thor533 opened a new issue, #9262: failed SSL handshake
thor533 opened a new issue, #9262:
URL: https://github.com/apache/apisix/issues/9262
### Description
When I enabled https for health check, I configured the ssl_trusted_certificate configuration, but it did not work。
the apisix config is :
`apisix:
node_listen: 9080 # APISIX listening port
enable_ipv6: false
ssl:
enable: true
enable_http2: true
listen_port: 9443
ssl_trusted_certificate: /usr/local/apisix/conf/cert/ssl_PLACE_HOLDER.crt
# ssl_cert: /usr/local/apisix/conf/cert/rootCA.pem
# ssl_cert_key: /usr/local/apisix/conf/cert/rootCA-key.pem
allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
- 0.0.0.0/0 # We need to restrict ip access rules for security. 0.0.0.0/0 is for test.
admin_key:
- name: "admin"
key: edd1c9f034335f136f87ad84b625c8f1
role: admin # admin: manage all configuration data
# viewer: only can view configuration data
- name: "viewer"
key: 4054f7cf07e344346cd3f287985e76a2
role: viewer
enable_control: true
control:
ip: "0.0.0.0"
port: 9092
etcd:
host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster.
- "http://etcd:2379" # multiple etcd address
prefix: "/apisix" # apisix configurations prefix
timeout: 30 # 30 seconds
nginx_config: # config for render the template to generate nginx.conf
error_log: logs/error.log
error_log_level: warn
worker_processes: auto # if you want use multiple cores in container, you can inject the number of cpu as environment variable "APISIX_WORKER_PROCESSES"
plugin_attr:
prometheus:
export_addr:
ip: "0.0.0.0"
port: 9091`
the error log is :
### Environment
- APISIX version (run `apisix :2.15-alpine`):
- Operating system (run `uname -a`):
- OpenResty / Nginx version (run `openresty -V` or `nginx -V`):
- etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`):
- APISIX Dashboard version, if relevant:
- Plugin runner version, for issues related to plugin runners:
- LuaRocks version, for installation issues (run `luarocks --version`):
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] kingluo commented on issue #9262: failed SSL handshake
Posted by "kingluo (via GitHub)" <gi...@apache.org>.
kingluo commented on issue #9262:
URL: https://github.com/apache/apisix/issues/9262#issuecomment-1501556341
what's your upstream configuration (including the health check cfg)?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] thor533 commented on issue #9262: failed SSL handshake
Posted by "thor533 (via GitHub)" <gi...@apache.org>.
thor533 commented on issue #9262:
URL: https://github.com/apache/apisix/issues/9262#issuecomment-1502578141
> Could you confirm curl is ok?
>
> And does your server have multiple certs for different server names (SNI)? It's better to specify `upstream.checks.active.host`.
>
> You could [export ](https://curl.se/docs/sslcerts.html) a valid CA file using this command:
>
> ```shell
> openssl s_client -showcerts -servername server -connect server:443 > cacert.pem
> ```
OK ,I'll take a closer look
and Can only one certificate be configured for this?thanks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] kingluo commented on issue #9262: failed SSL handshake
Posted by "kingluo (via GitHub)" <gi...@apache.org>.
kingluo commented on issue #9262:
URL: https://github.com/apache/apisix/issues/9262#issuecomment-1502602797
Yes, but that can be a bundle file:
```bash
cat ca1.crt ca2.crt ca3.crt > ca.crt
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Sn0rt commented on issue #9262: failed SSL handshake
Posted by "Sn0rt (via GitHub)" <gi...@apache.org>.
Sn0rt commented on issue #9262:
URL: https://github.com/apache/apisix/issues/9262#issuecomment-1506248572
@thor533 Is this issue completed?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] thor533 commented on issue #9262: failed SSL handshake
Posted by "thor533 (via GitHub)" <gi...@apache.org>.
thor533 commented on issue #9262:
URL: https://github.com/apache/apisix/issues/9262#issuecomment-1501351635
> It seems that either the SSL version is not supported or the server is not using SSL at all (plain http only?). Please use tcpdump to check the traffic so that you get to know what's happening.
the error log
The gateway initiates a request for tlsv1.0, and the server is configured with the same certificate. However, the handshake fails
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] thor533 commented on issue #9262: failed SSL handshake
Posted by "thor533 (via GitHub)" <gi...@apache.org>.
thor533 commented on issue #9262:
URL: https://github.com/apache/apisix/issues/9262#issuecomment-1504857386
> Yes, but that can be a bundle file:
>
> ```shell
> cat ca1.crt ca2.crt ca3.crt > ca.crt
> ```
Does https for Active health check only need this configuration?Do I need any other configuration?
`apisix:
ssl:
ssl_trusted_certificate: /usr/local/apisix/conf/cert/www.yunkeyo.com.pem`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] kingluo commented on issue #9262: failed SSL handshake
Posted by "kingluo (via GitHub)" <gi...@apache.org>.
kingluo commented on issue #9262:
URL: https://github.com/apache/apisix/issues/9262#issuecomment-1501315462
It seems that either the SSL version is not supported or the server is not using SSL at all (plain http only?).
Please use tcpdump to check the traffic so that you get to know what's happening.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] thor533 commented on issue #9262: failed SSL handshake
Posted by "thor533 (via GitHub)" <gi...@apache.org>.
thor533 commented on issue #9262:
URL: https://github.com/apache/apisix/issues/9262#issuecomment-1506607891
That's taken care of. Thank you, everybody. Thank you very much
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] kingluo commented on issue #9262: failed SSL handshake
Posted by "kingluo (via GitHub)" <gi...@apache.org>.
kingluo commented on issue #9262:
URL: https://github.com/apache/apisix/issues/9262#issuecomment-1500155134
Do you happen to use TLSv1.3 only on the upstream server?
By default, cosocket does not use TLSv1.3, you need to configure it explicitly:
`config.yaml`
```yaml
nginx_config:
http_configuration_snippet: |
lua_ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] thor533 commented on issue #9262: failed SSL handshake
Posted by "thor533 (via GitHub)" <gi...@apache.org>.
thor533 commented on issue #9262:
URL: https://github.com/apache/apisix/issues/9262#issuecomment-1501612538
> ```shell
> curl https://your-upstream-server -vvv --cacert ca.crt
> ```
the route config is :
`{
"id": "455214153062154944",
"create_time": 1680858378,
"update_time": 1681111004,
"uri": "/test123/*",
"name": "health",
"priority": 1,
"methods": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH",
"HEAD",
"OPTIONS",
"CONNECT",
"TRACE"
],
"upstream": {
"nodes": [
{
"host": "192.168.29.93",
"port": 8180,
"weight": 1
},
{
"host": "192.168.39.96",
"port": 8180,
"weight": 1
},
{
"host": "192.168.88.66",
"port": 9001,
"weight": 1
}
],
"retries": 1,
"timeout": {
"connect": 6,
"send": 6,
"read": 6
},
"type": "roundrobin",
"checks": {
"active": {
"concurrency": 10,
"healthy": {
"http_statuses": [
200,
302
],
"interval": 5,
"successes": 2
},
"http_path": "/",
"https_verify_certificate": true,
"port": 9443,
"timeout": 1,
"type": "https",
"unhealthy": {
"http_failures": 5,
"http_statuses": [
429,
404,
500,
501,
502,
503,
504,
505
],
"interval": 5,
"tcp_failures": 2,
"timeouts": 3
}
}
},
"scheme": "http",
"pass_host": "pass",
"keepalive_pool": {
"idle_timeout": 60,
"requests": 1000,
"size": 320
},
"retry_timeout": 1
},
"labels": {
"API_VERSION": "12"
},
"status": 1
}`
now the error is :
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] kingluo commented on issue #9262: failed SSL handshake
Posted by "kingluo (via GitHub)" <gi...@apache.org>.
kingluo commented on issue #9262:
URL: https://github.com/apache/apisix/issues/9262#issuecomment-1501673290
Could you confirm curl is ok?
And does your server have multiple certs for different server names (SNI)?
It's better to specify `upstream.checks.active.host`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] kingluo commented on issue #9262: failed SSL handshake
Posted by "kingluo (via GitHub)" <gi...@apache.org>.
kingluo commented on issue #9262:
URL: https://github.com/apache/apisix/issues/9262#issuecomment-1504862655
`ssl_trusted_certificate` contains all CA files to verify upstream servers, etcd server, and all servers accessed via lua cosocket (including health checker).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] thor533 commented on issue #9262: failed SSL handshake
Posted by "thor533 (via GitHub)" <gi...@apache.org>.
thor533 commented on issue #9262:
URL: https://github.com/apache/apisix/issues/9262#issuecomment-1501285593
> Do you happen to use TLSv1.3 only on the upstream server?
>
> By default, cosocket does not use TLSv1.3, you need to configure it explicitly:
>
> `config.yaml`
>
> ```yaml
> nginx_config:
> http_configuration_snippet: |
> lua_ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
> ```
NO ,is TLSv1.2,I don't know what went wrong,I need your help!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] thor533 commented on issue #9262: failed SSL handshake
Posted by "thor533 (via GitHub)" <gi...@apache.org>.
thor533 commented on issue #9262:
URL: https://github.com/apache/apisix/issues/9262#issuecomment-1506465070
> @thor533 Is this issue completed?
No, the certificate is a self-signed certificate. I don't know what's wrong with it
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] thor533 commented on issue #9262: failed SSL handshake
Posted by "thor533 (via GitHub)" <gi...@apache.org>.
thor533 commented on issue #9262:
URL: https://github.com/apache/apisix/issues/9262#issuecomment-1504890063
>
okey ,thanks
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] thor533 closed issue #9262: failed SSL handshake
Posted by "thor533 (via GitHub)" <gi...@apache.org>.
thor533 closed issue #9262: failed SSL handshake
URL: https://github.com/apache/apisix/issues/9262
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org