You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2021/09/24 04:30:32 UTC
[GitHub] [apisix] foreveryang321 opened a new issue #5125: request help: configure etcd tls and stream_proxy at the same time, etcd cannot connect
foreveryang321 opened a new issue #5125:
URL: https://github.com/apache/apisix/issues/5125
### Issue description
配置etcd tls后,apisix/conf/config.yaml中再配置 stream_proxy 会报错[error] 49#49: *162 stream [lua] config_etcd.lua:563: no healthy etcd endpoint available, next retry after 4s, context: ngx.timer,去掉stream_proxy配置就正常,请问这个怎么解决?
配置如下:
```yaml
apisix:
id: "yl-mac"
node_listen: 9080
enable_ipv6: false
allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
- 0.0.0.0/0
admin_key:
- name: "admin"
key: edd1c9f034335f136f87ad84b625c8f1
role: admin
- name: "viewer"
key: 4054f7cf07e344346cd3f287985e76a2
role: viewer
ssl:
ssl_trusted_certificate: /usr/local/apisix/ssl/etcd-ca.pem
stream_proxy:
only: false
tcp:
- addr: 9200
tls: true
etcd:
host:
# - "http://etcd:2379"
- "https://192.168.11.1:2379"
- "https://192.168.11.2:2379"
- "https://192.168.11.3:2379"
prefix: "/apisix"
timeout: 30
tls:
cert: /usr/local/apisix/ssl/etcd.pem
key: /usr/local/apisix/ssl/etcd-key.pem
verify: true
```
### Environment
- apisix version (cmd: `apisix version`): 2.9
- OpenResty / Nginx version: 1.19.3.2
- etcd version: 3.5.0
- apisix-dashboard version: 2.8
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] foreveryang321 commented on issue #5125: request help: configure etcd tls and stream_proxy at the same time, etcd cannot connect
Posted by GitBox <gi...@apache.org>.
foreveryang321 commented on issue #5125:
URL: https://github.com/apache/apisix/issues/5125#issuecomment-926370817
> any error logs about case 2 doesn't work well?
```txt
2021/09/23 16:38:37 [warn] 46#46: *972324 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.1:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.1:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 46#46: *972324 stream [lua] health_check.lua:63: report_failure(): update endpoint: https://192.168.11.1:2379 to unhealthy, context: ngx.timer
2021/09/23 16:38:37 [warn] 46#46: *972324 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.1:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.1:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 46#46: *972324 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.2:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.2:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] health_check.lua:63: report_failure(): update endpoint: https://192.168.11.2:2379 to unhealthy, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.2:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.3:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.3:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] health_check.lua:63: report_failure(): update endpoint: https://192.168.11.3:2379 to unhealthy, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.3:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: request_chunk(): has no healthy etcd endpoint available. Retrying, context: ngx.timer
2021/09/23 16:38:37 [error] 49#49: *964289 stream [lua] config_etcd.lua:563: no healthy etcd endpoint available, next retry after 2s, context: ngx.timer
2021/09/23 16:38:37 [error] 43#43: *960186 stream [lua] config_etcd.lua:563: no healthy etcd endpoint available, next retry after 32s, context: ngx.timer
2021/09/23 16:38:38 [error] 45#45: *962215 stream [lua] config_etcd.lua:563: no healthy etcd endpoint available, next retry after 32s, context: ngx.timer
2021/09/23 16:38:39 [error] 46#46: *970612 stream [lua] config_etcd.lua:563: no healthy etcd endpoint available, next retry after 32s, context: ngx.timer
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #5125: request help: configure etcd tls and stream_proxy at the same time, etcd cannot connect
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #5125:
URL: https://github.com/apache/apisix/issues/5125#issuecomment-929772732
Fixed in https://github.com/openresty/stream-lua-nginx-module/commit/a7193b14339e8c4cc5da024b7d86d0d20e0d2e9d
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #5125: request help: configure etcd tls and stream_proxy at the same time, etcd cannot connect
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #5125:
URL: https://github.com/apache/apisix/issues/5125#issuecomment-927213947
> I have verified this, the result is the same as yours, case 1 is normal, case 2 is abnormal
>
> my configuration is as below:
>
> ```yaml
> apisix:
> admin_key:
> - name: admin
> key: edd1c9f034335f136f87ad84b625c8f1
> role: admin
> ssl:
> ssl_trusted_certificate: t/certs/apisix.crt
> stream_proxy:
> only: false
> tcp:
> - addr: 9200
> tls: true
> etcd:
> host:
> - "https://test.com:12379"
> tls:
> cert: t/certs/apisix.crt
> key: t/certs/apisix.key
> ```
>
> and add this iterm to `/etc/hosts`
>
> ```
> 127.0.0.1 test.com
> ```
>
> case 2 error.log is:
>
> ```
> 2021/09/24 18:31:52 [warn] 24912#2151585: *35 stream [lua] v3.lua:631: request_chunk(): https://test.com:12379: 18: self signed certificate. Retrying, context: ngx.timer
> 2021/09/24 18:31:52 [warn] 24919#2151592: *123 stream [lua] v3.lua:631: request_chunk(): https://test.com:12379: 18: self signed certificate. Retrying, context: ngx.timer
> 2021/09/24 18:31:52 [warn] 24919#2151592: *50 stream [lua] health_check.lua:63: report_failure(): update endpoint: https://test.com:12379 to unhealthy, context: ngx.timer
> 2021/09/24 18:31:52 [warn] 24919#2151592: *50 stream [lua] v3.lua:631: request_chunk(): https://test.com:12379: 18: self signed certificate. Retrying, context: ngx.timer
> ```
>
> I found something strange, the `nginx.conf` generated by above conf is:
>
> ```nginx
> stream {
> ……
> lua_ssl_trusted_certificate /usr/local/Cellar/apisix/t/certs/apisix.crt;
> ……
>
> http {
> lua_ssl_trusted_certificate /usr/local/Cellar/apisix/t/certs/apisix.crt;
> ```
>
> `lua_ssl_trusted_certificate` exists in both the `stream` and `http` subsystems, is there a conflict? @spacewander
As per the description in [stream-lua-nginx-module](https://github.com/openresty/stream-lua-nginx-module), the `lua_ssl_trusted_certificate` is same to the one in http subsystem.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #5125: request help: configure etcd tls and stream_proxy at the same time, etcd cannot connect
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #5125:
URL: https://github.com/apache/apisix/issues/5125#issuecomment-926299857
@foreveryang321 so we can close this issue?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] foreveryang321 commented on issue #5125: 同时配置 etcd tls 和 stream_proxy,etcd 连接不上问题
Posted by GitBox <gi...@apache.org>.
foreveryang321 commented on issue #5125:
URL: https://github.com/apache/apisix/issues/5125#issuecomment-926260631
> @foreveryang321 There should have some other logs which are related to the SSL handshaking, you may try to check them out, also, be sure you're using the APISIX OpenResty since the mTLS support relies on it.
> nginx/openresty版本
根据[https://github.com/api7/apisix-build-tools/blob/master/build-apisix-openresty.sh](https://github.com/api7/apisix-build-tools/blob/master/build-apisix-openresty.sh)构建
```txt
nginx version: openresty/1.19.3.2
built by gcc 10.2.1 20201203 (Alpine 10.2.1_pre1)
built with OpenSSL 1.1.1l 24 Aug 2021
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DAPISIX_OPENRESTY_VER=0.0.0' --add-module=../ngx_devel_kit-0.3.1 --add-module=../echo-nginx-module-0.62 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 --add-module=../srcache-nginx-module-0.32 --add-module=../ngx_lua-0.10.19 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 --add-module=../ngx_stream_lua-0.0.9 --with-ld-opt=-Wl,-rpath,/usr/local/openresty/luajit/lib --add-module=/tmp/tmp.MlGEBG/openresty-1.19.3.2/../mod_dubbo --add-module=/tmp/tmp.MlGEBG/openresty-1.19.3.2/../ngx_multi_upstream_module --add-module=/tmp/tmp.MlGEBG/openresty-1.19.3.2/
../apisix-nginx-module --add-module=/tmp/tmp.MlGEBG/openresty-1.19.3.2/../lua-var-nginx-module --with-poll_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat --with-stream --with-http_ssl_module
```
> 日志
```txt
2021/09/23 16:38:37 [warn] 46#46: *972324 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.1:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.1:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 46#46: *972324 stream [lua] health_check.lua:63: report_failure(): update endpoint: https://192.168.11.1:2379 to unhealthy, context: ngx.timer
2021/09/23 16:38:37 [warn] 46#46: *972324 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.1:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.1:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 46#46: *972324 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.2:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.2:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] health_check.lua:63: report_failure(): update endpoint: https://192.168.11.2:2379 to unhealthy, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.2:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.3:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.3:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] health_check.lua:63: report_failure(): update endpoint: https://192.168.11.3:2379 to unhealthy, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: request_chunk(): https://192.168.11.3:2379: 20: unable to get local issuer certificate. Retrying, context: ngx.timer
2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: request_chunk(): has no healthy etcd endpoint available. Retrying, context: ngx.timer
2021/09/23 16:38:37 [error] 49#49: *964289 stream [lua] config_etcd.lua:563: no healthy etcd endpoint available, next retry after 2s, context: ngx.timer
2021/09/23 16:38:37 [error] 43#43: *960186 stream [lua] config_etcd.lua:563: no healthy etcd endpoint available, next retry after 32s, context: ngx.timer
2021/09/23 16:38:38 [error] 45#45: *962215 stream [lua] config_etcd.lua:563: no healthy etcd endpoint available, next retry after 32s, context: ngx.timer
2021/09/23 16:38:39 [error] 46#46: *970612 stream [lua] config_etcd.lua:563: no healthy etcd endpoint available, next retry after 32s, context: ngx.timer
```
如果把 stream_proxy 部分配置注释掉就可以正常连接上etcd
```yaml
apisix:
id: "yl-mac"
node_listen: 9080
enable_ipv6: false
allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
- 0.0.0.0/0
admin_key:
- name: "admin"
key: edd1c9f034335f136f87ad84b625c8f1
role: admin
- name: "viewer"
key: 4054f7cf07e344346cd3f287985e76a2
role: viewer
ssl:
ssl_trusted_certificate: /usr/local/apisix/ssl/etcd-ca.pem
# stream_proxy:
# only: false
# tcp:
# - addr: 9200
# tls: true
etcd:
host:
# - "http://etcd:2379"
- "https://192.168.11.1:2379"
- "https://192.168.11.2:2379"
- "https://192.168.11.3:2379"
prefix: "/apisix"
timeout: 30
tls:
cert: /usr/local/apisix/ssl/etcd.pem
key: /usr/local/apisix/ssl/etcd-key.pem
verify: true
```
> docker-compose.yml
```yaml
version: "3.8"
services:
apisix:
image: apache/apisix:2.9-alpine
container_name: apisix
hostname: apisix
ports:
- "9080:9080"
- "9443:9443"
- "9200:9200"
volumes:
- ./conf/config.yaml/:/usr/local/apisix/conf/config.yaml
- ./ssl:/usr/local/apisix/ssl
- ./logs:/usr/local/apisix/logs
environment:
- "TZ=Asia/Shanghai"
restart: always
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #5125: request help: configure etcd tls and stream_proxy at the same time, etcd cannot connect
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #5125:
URL: https://github.com/apache/apisix/issues/5125#issuecomment-930686267
Backported to apisix-nginx-module.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #5125: 同时配置 etcd tls 和 stream_proxy,etcd 连接不上问题
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #5125:
URL: https://github.com/apache/apisix/issues/5125#issuecomment-926267114
it seems that the CA certificate was not configured correctly in the stream subsystem @tzssangglass please take a look when you have time.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] foreveryang321 edited a comment on issue #5125: request help: configure etcd tls and stream_proxy at the same time, etcd cannot connect
Posted by GitBox <gi...@apache.org>.
foreveryang321 edited a comment on issue #5125:
URL: https://github.com/apache/apisix/issues/5125#issuecomment-926280006
when i set etcd.tls.verify to false, than it works well.
```yaml
apisix:
...
ssl:
ssl_trusted_certificate: /usr/local/apisix/ssl/etcd-ca.pem
stream_proxy:
only: false
tcp:
- addr: 9200
tls: true
etcd:
...
tls:
...
verify: false
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #5125: request help: configure etcd tls and stream_proxy at the same time, etcd cannot connect
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #5125:
URL: https://github.com/apache/apisix/issues/5125#issuecomment-929772732
Fixed in https://github.com/openresty/stream-lua-nginx-module/commit/a7193b14339e8c4cc5da024b7d86d0d20e0d2e9d
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #5125: 同时配置 etcd tls 和 stream_proxy,etcd 连接不上问题
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #5125:
URL: https://github.com/apache/apisix/issues/5125#issuecomment-925698398
@foreveryang321 There should have some other logs which are related to the SSL handshaking, you may try to check them out, also, be sure you're using the APISIX OpenResty since the mTLS support relies on it.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #5125: request help: configure etcd tls and stream_proxy at the same time, etcd cannot connect
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #5125:
URL: https://github.com/apache/apisix/issues/5125#issuecomment-926524100
I have verified this, the result is the same as yours, case 1 is normal, case 2 is abnormal
my configuration is as below:
```yaml
apisix:
admin_key:
- name: admin
key: edd1c9f034335f136f87ad84b625c8f1
role: admin
ssl:
ssl_trusted_certificate: t/certs/apisix.crt
stream_proxy:
only: false
tcp:
- addr: 9200
tls: true
etcd:
host:
- "https://test.com:12379"
tls:
cert: t/certs/apisix.crt
key: t/certs/apisix.key
```
and add this iterm to `/etc/hosts`
```
127.0.0.1 test.com
```
case 2 error.log is:
```
2021/09/24 18:31:52 [warn] 24912#2151585: *35 stream [lua] v3.lua:631: request_chunk(): https://test.com:12379: 18: self signed certificate. Retrying, context: ngx.timer
2021/09/24 18:31:52 [warn] 24919#2151592: *123 stream [lua] v3.lua:631: request_chunk(): https://test.com:12379: 18: self signed certificate. Retrying, context: ngx.timer
2021/09/24 18:31:52 [warn] 24919#2151592: *50 stream [lua] health_check.lua:63: report_failure(): update endpoint: https://test.com:12379 to unhealthy, context: ngx.timer
2021/09/24 18:31:52 [warn] 24919#2151592: *50 stream [lua] v3.lua:631: request_chunk(): https://test.com:12379: 18: self signed certificate. Retrying, context: ngx.timer
```
I found something strange, the `nginx.conf` generated by above conf is:
```nginx
stream {
……
lua_ssl_trusted_certificate /usr/local/Cellar/apisix/t/certs/apisix.crt;
……
http {
lua_ssl_trusted_certificate /usr/local/Cellar/apisix/t/certs/apisix.crt;
```
`lua_ssl_trusted_certificate` exists in both the `stream` and `http` subsystems, is there a conflict? @spacewander
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #5125: request help: configure etcd tls and stream_proxy at the same time, etcd cannot connect
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #5125:
URL: https://github.com/apache/apisix/issues/5125#issuecomment-927295529
```
{ ngx_string("lua_ssl_trusted_certificate"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_lua_loc_conf_t, ssl_trusted_certificate),
NULL },
```
The lua_ssl_trusted_certificate in different subsystems only affects the subsystem itself.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] foreveryang321 closed issue #5125: request help: configure etcd tls and stream_proxy at the same time, etcd cannot connect
Posted by GitBox <gi...@apache.org>.
foreveryang321 closed issue #5125:
URL: https://github.com/apache/apisix/issues/5125
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] foreveryang321 commented on issue #5125: request help: configure etcd tls and stream_proxy at the same time, etcd cannot connect
Posted by GitBox <gi...@apache.org>.
foreveryang321 commented on issue #5125:
URL: https://github.com/apache/apisix/issues/5125#issuecomment-926333334
However, I still have doubts.
case 1:
verify: true, it works well.
```yaml
apisix:
...
ssl:
ssl_trusted_certificate: /usr/local/apisix/ssl/etcd-ca.pem
# stream_proxy:
# only: false
# tcp:
# - addr: 9200
# tls: true
etcd:
host:
# - "http://etcd:2379"
- "https://192.168.11.1:2379"
- "https://192.168.11.2:2379"
- "https://192.168.11.3:2379"
prefix: "/apisix"
timeout: 30
tls:
cert: /usr/local/apisix/ssl/etcd.pem
key: /usr/local/apisix/ssl/etcd-key.pem
verify: true
```
case 2:
verify: true, it doesn't work well.
```yaml
apisix:
...
ssl:
ssl_trusted_certificate: /usr/local/apisix/ssl/etcd-ca.pem
stream_proxy:
only: false
tcp:
- addr: 9200
tls: true
etcd:
host:
# - "http://etcd:2379"
- "https://192.168.11.1:2379"
- "https://192.168.11.2:2379"
- "https://192.168.11.3:2379"
prefix: "/apisix"
timeout: 30
tls:
cert: /usr/local/apisix/ssl/etcd.pem
key: /usr/local/apisix/ssl/etcd-key.pem
verify: true
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tokers commented on issue #5125: request help: configure etcd tls and stream_proxy at the same time, etcd cannot connect
Posted by GitBox <gi...@apache.org>.
tokers commented on issue #5125:
URL: https://github.com/apache/apisix/issues/5125#issuecomment-927282997
> So is it normal to have `lua_ssl_trusted_certificate` for both `stream` and `http` in nginx.conf?
In theory, it should be OK but I don't have a closer look at its implementations.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander closed issue #5125: request help: configure etcd tls and stream_proxy at the same time, etcd cannot connect
Posted by GitBox <gi...@apache.org>.
spacewander closed issue #5125:
URL: https://github.com/apache/apisix/issues/5125
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander edited a comment on issue #5125: request help: configure etcd tls and stream_proxy at the same time, etcd cannot connect
Posted by GitBox <gi...@apache.org>.
spacewander edited a comment on issue #5125:
URL: https://github.com/apache/apisix/issues/5125#issuecomment-930686267
Backported to apisix-nginx-module. People who use the next release of (APISIX-)OpenResty won't suffer from this bug.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #5125: request help: configure etcd tls and stream_proxy at the same time, etcd cannot connect
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #5125:
URL: https://github.com/apache/apisix/issues/5125#issuecomment-926299746
```yaml
etcd:
tls:
verify: false
```
the `verify` here used to control whether to verify that the CA certificate issuing the etcd certificate is in the trusted certificate chain of the host where APISIX is located.
case 1:
verify: true, and the CA certificate issuing the etcd certificate is not in the trusted certificate chain of the host where APISIX is located, APISIX will throw an Unknow CA error in tlshandshake process and stop connection.
In this case you need to configure `ssl_trusted_certificate` as the CA certificate that issuing the etcd certificate.
case 2:
verify: false, and the CA certificate issuing the etcd certificate is not in the trusted certificate chain of the host where APISIX is located, APISIX won't throw an Unknow CA error in tlshandshake process, and ignore Encrypted Alert error, just establish connections with etcd.
case 3:
verify: true, and the CA certificate issuing the etcd certificate is in the trusted certificate chain of the host where APISIX is located, APISIX will do tlshandshake normally and establish connections with etcd.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #5125: request help: configure etcd tls and stream_proxy at the same time, etcd cannot connect
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #5125:
URL: https://github.com/apache/apisix/issues/5125#issuecomment-926365195
any error logs about case 2 doesn't work well?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #5125: request help: configure etcd tls and stream_proxy at the same time, etcd cannot connect
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #5125:
URL: https://github.com/apache/apisix/issues/5125#issuecomment-927219900
So is it normal to have `lua_ssl_trusted_certificate` for both `stream` and `http` in nginx.conf?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] tzssangglass commented on issue #5125: request help: configure etcd tls and stream_proxy at the same time, etcd cannot connect
Posted by GitBox <gi...@apache.org>.
tzssangglass commented on issue #5125:
URL: https://github.com/apache/apisix/issues/5125#issuecomment-927293662
@spacewander @membphis Do you know what this is?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] foreveryang321 commented on issue #5125: request help: configure etcd tls and stream_proxy at the same time, etcd cannot connect
Posted by GitBox <gi...@apache.org>.
foreveryang321 commented on issue #5125:
URL: https://github.com/apache/apisix/issues/5125#issuecomment-926280006
when i set etcd.tls.verify to false, than it works well.
```yaml
apisix:
...
ssl:
ssl_trusted_certificate: /usr/local/apisix/ssl/etcd-ca.pem
stream_proxy:
only: false
tcp:
- addr: 9200
tls: true
etcd:
...
tls:
...
verify: true
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org