You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2021/05/29 02:13:16 UTC
[GitHub] [apisix] xyz2b opened a new issue #4333: request help: apisix etcd do not support ca cert config
xyz2b opened a new issue #4333:
URL: https://github.com/apache/apisix/issues/4333
### Issue description
apisix etcd do not support ca cert config, self-signed certificate verification failed
`[app@VM_97_180_centos apisix]$ ./bin/apisix start --config ./conf/apisix.yaml
/data/app/openresty/luajit/bin/luajit ./apisix/cli/apisix.lua start --config ./conf/apisix.yaml
mv: ‘/data/app/apisix/conf/config.yaml’ and ‘/data/app/apisix/conf/config.yaml.bak’ are the same file
ln: failed to create hard link ‘/data/app/apisix/conf/config.yaml’: File exists
Use customized yaml: ./conf/apisix.yaml
request etcd endpoint 'https://etcd01.apisix.webank.com:2379/version' error, certificate verify failed`
`[app@VM_97_180_centos apisix]$ curl --cacert ./ssl/ca.pem -i https://etcd01.apisix.webank.com:2379/version
HTTP/1.1 200 OK
Access-Control-Allow-Headers: accept, content-type, authorization
Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json
Date: Sat, 29 May 2021 02:11:15 GMT
Content-Length: 45
{"etcdserver":"3.4.16","etcdcluster":"3.4.0"}`
### Environment
Request help without environment information will be ignored or closed.
* apisix version (cmd: `apisix version`): 2.6
* OS (cmd: `uname -a`): Linux VM_97_180_centos 3.10.0-1127.13.1.el7.x86_64 #1 SMP Tue Jun 23 15:46:38 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
* OpenResty / Nginx version (cmd: `nginx -V` or `openresty -V`):
`nginx version: openresty/1.19.3.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/data/app/openresty/nginx --with-debug --with-cc-opt='-DNGX_LUA_USE_ASSERT -DNGX_LUA_ABORT_AT_PANIC -O2' --add-module=../ngx_devel_kit-0.3.1 --add-module=../echo-nginx-module-0.62 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.32 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.08 --add-module=../srcache-nginx-module-0.32 --add-module=../ngx_lua-0.10.19 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.7 --add-module=../rds-json-nginx-module-0.15 --add-module=../rds-csv-nginx-module-0.09 --add-module=../ngx_stream_lua-0.0.9 --with-ld-opt=-Wl,-rpath,/data/app/openresty/luajit/lib --user=app --group=apps --with-http_ssl_module --with-http_flv_module --w
ith-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-http_realip_module --with-http_v2_module --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module`
* etcd version, if have (cmd: run `curl http://127.0.0.1:9090/v1/server_info` to get the info from server-info API):
* apisix-dashboard version, if have:
* luarocks version, if the issue is about installation (cmd: `luarocks --version`): 3.4.0
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #4333: request help: apisix etcd do not support ca cert config
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #4333:
URL: https://github.com/apache/apisix/issues/4333#issuecomment-850934737
Please open another issue to discuss another thing. Thanks for your cooperation.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] xyz2b commented on issue #4333: request help: apisix etcd do not support ca cert config
Posted by GitBox <gi...@apache.org>.
xyz2b commented on issue #4333:
URL: https://github.com/apache/apisix/issues/4333#issuecomment-850823020
Solution maybe in this issue: https://github.com/apache/apisix/issues/4322.
I will try. Thank you.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #4333: request help: apisix etcd do not support ca cert config
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #4333:
URL: https://github.com/apache/apisix/issues/4333#issuecomment-850778508
It requires APISIX-Openresty
https://github.com/apache/apisix/blob/1266801154b9d0eeea02a9e2159c499787d0cd9d/conf/config-default.yaml#L211
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] xyz2b edited a comment on issue #4333: request help: apisix etcd do not support ca cert config
Posted by GitBox <gi...@apache.org>.
xyz2b edited a comment on issue #4333:
URL: https://github.com/apache/apisix/issues/4333#issuecomment-850931940
The ssl_trusted_certificates config in config-default.yaml will be set nginx.conf lua_ssl_trusted_certificate config.
This configuration of nginx will affect the global configuration.
I hope to have the effect of nginx proxy_ssl_trusted_certificate configuration, each location can be configured separately.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] xyz2b commented on issue #4333: request help: apisix etcd do not support ca cert config
Posted by GitBox <gi...@apache.org>.
xyz2b commented on issue #4333:
URL: https://github.com/apache/apisix/issues/4333#issuecomment-850803662
I might say something wrong.
Since it is a self-signed certificate, the client does not trust the CA organization of the certificate.
Therefore, you need to configure the client to trust the certificate issued by the CA, that is, you need to configure the CA certificate.
Like curl, you need to add the --cacert parameter, otherwise an error will be reported. However, apisix does not configure the parameters of trusting CA institutions.
curl error
```shell
[app@VM_97_180_centos apisix]$ curl -i https://etcd01.apisix.webank.com:2379/version
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander closed issue #4333: request help: apisix etcd do not support ca cert config
Posted by GitBox <gi...@apache.org>.
spacewander closed issue #4333:
URL: https://github.com/apache/apisix/issues/4333
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] xyz2b edited a comment on issue #4333: request help: apisix etcd do not support ca cert config
Posted by GitBox <gi...@apache.org>.
xyz2b edited a comment on issue #4333:
URL: https://github.com/apache/apisix/issues/4333#issuecomment-850803662
Thank you, I went back and tried what you said, but there is another problem.
Since it is a self-signed certificate, the client does not trust the CA organization of the certificate.
Therefore, you need to configure the client to trust the certificate issued by the CA, that is, you need to configure the CA certificate.
Like curl, you need to add the --cacert parameter, otherwise an error will be reported.
The same is similar to the proxy_ssl_trusted_certificate configuration of nginx.
However, apisix does not configure the parameters of trusting CA institutions.
curl error
```shell
[app@VM_97_180_centos apisix]$ curl -i https://etcd01.apisix.xxxx.com:2379/version
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] xyz2b edited a comment on issue #4333: request help: apisix etcd do not support ca cert config
Posted by GitBox <gi...@apache.org>.
xyz2b edited a comment on issue #4333:
URL: https://github.com/apache/apisix/issues/4333#issuecomment-850803662
Thank you, I went back and tried what you said, but there is another problem.
Since it is a self-signed certificate, the client does not trust the CA organization of the certificate.
Therefore, you need to configure the client to trust the certificate issued by the CA, that is, you need to configure the CA certificate.
Like curl, you need to add the --cacert parameter, otherwise an error will be reported. However, apisix does not configure the parameters of trusting CA institutions.
curl error
```shell
[app@VM_97_180_centos apisix]$ curl -i https://etcd01.apisix.xxxx.com:2379/version
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #4333: request help: apisix etcd do not support ca cert config
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #4333:
URL: https://github.com/apache/apisix/issues/4333#issuecomment-850934871
The per-location proxy_ssl_trusted_certificate is nothing relative to the etcd, as the etcd is global and should be configured at the global level.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] xyz2b commented on issue #4333: request help: apisix etcd do not support ca cert config
Posted by GitBox <gi...@apache.org>.
xyz2b commented on issue #4333:
URL: https://github.com/apache/apisix/issues/4333#issuecomment-850931940
The ssl_trusted_certificates config in config-default.yaml will be set nginx.conf lua_ssl_trusted_certificate config.
This configuration of nginx will affect the global configuration.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] xyz2b edited a comment on issue #4333: request help: apisix etcd do not support ca cert config
Posted by GitBox <gi...@apache.org>.
xyz2b edited a comment on issue #4333:
URL: https://github.com/apache/apisix/issues/4333#issuecomment-850803662
I might say something wrong.
Since it is a self-signed certificate, the client does not trust the CA organization of the certificate.
Therefore, you need to configure the client to trust the certificate issued by the CA, that is, you need to configure the CA certificate.
Like curl, you need to add the --cacert parameter, otherwise an error will be reported. However, apisix does not configure the parameters of trusting CA institutions.
curl error
```shell
[app@VM_97_180_centos apisix]$ curl -i https://etcd01.apisix.xxxx.com:2379/version
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] xyz2b commented on issue #4333: request help: apisix etcd do not support ca cert config
Posted by GitBox <gi...@apache.org>.
xyz2b commented on issue #4333:
URL: https://github.com/apache/apisix/issues/4333#issuecomment-850764590
I find lua_ssl_trusted_certificate configuration in lua nginx api, but this will effect all sslhandshake
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org