You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by "Sachkov-Aleksandr (via GitHub)" <gi...@apache.org> on 2023/04/27 11:24:57 UTC
[GitHub] [apisix] Sachkov-Aleksandr opened a new issue, #9381: help request: Error "lua_ssl_trusted_certificate" directive is duplicate in /usr/local/apisix/conf/nginx.conf:240
Sachkov-Aleksandr opened a new issue, #9381:
URL: https://github.com/apache/apisix/issues/9381
### Description
Hello.
I am trying to install APICIS via Helm chart. At the same time, I need to link the control plane and etcd via mtls.
I have separately installed an etcd cluster of three nodes. Configured values for the control plane and mtls. And deploy Helm.
But in APISIX, when deploying, I get the error /usr/local/openresty//luajit/bin/luajit ./apisix/cli/api sys.lua init_etcd
2023/04/27 11:05:55 [emerg] 1#1: the directive "lua_ssl_trusted_certificate" is duplicated in /usr/local/apisix/conf/nginx.conf:240
nginx: [emerg] the directive "lua_ssl_trusted_certificate" is duplicated in /usr/local/apisix/conf/nginx.conf:240
Please, help me with this problem?
### Environment
- APISIX version (run `apisix version`): 3.2.0-debian
- Operating system (run `uname -a`): K8s 1.22, node OS is debian
- OpenResty / Nginx version (run `openresty -V` or `nginx -V`):
- etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`): bitnami/etcd 3.5.7-debian-11-r14
- APISIX Dashboard version, if relevant: Not dashboard
- Plugin runner version, for issues related to plugin runners:
- LuaRocks version, for installation issues (run `luarocks --version`):
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Sachkov-Aleksandr commented on issue #9381: help request: Error "lua_ssl_trusted_certificate" directive is duplicate in /usr/local/apisix/conf/nginx.conf:240
Posted by "Sachkov-Aleksandr (via GitHub)" <gi...@apache.org>.
Sachkov-Aleksandr commented on issue #9381:
URL: https://github.com/apache/apisix/issues/9381#issuecomment-1527404120
> Could you please share the command that you used to install APISIX?
helm upgrade --install apisix-core apisix-core/
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Sachkov-Aleksandr commented on issue #9381: help request: Error "lua_ssl_trusted_certificate" directive is duplicate in /usr/local/apisix/conf/nginx.conf:240
Posted by "Sachkov-Aleksandr (via GitHub)" <gi...@apache.org>.
Sachkov-Aleksandr commented on issue #9381:
URL: https://github.com/apache/apisix/issues/9381#issuecomment-1541826010
Hello. Could you please help me with my problem. I installed via Help and everything works, but the standard Helm works without SSL. How can I use it to correctly configure MTLS?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] shreemaan-abhishek commented on issue #9381: help request: Error "lua_ssl_trusted_certificate" directive is duplicate in /usr/local/apisix/conf/nginx.conf:240
Posted by "shreemaan-abhishek (via GitHub)" <gi...@apache.org>.
shreemaan-abhishek commented on issue #9381:
URL: https://github.com/apache/apisix/issues/9381#issuecomment-1649125089
@Sn0rt, I don't know. I am not sure if the user's query is resolved.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] shreemaan-abhishek commented on issue #9381: help request: Error "lua_ssl_trusted_certificate" directive is duplicate in /usr/local/apisix/conf/nginx.conf:240
Posted by "shreemaan-abhishek (via GitHub)" <gi...@apache.org>.
shreemaan-abhishek commented on issue #9381:
URL: https://github.com/apache/apisix/issues/9381#issuecomment-1546114548
@Sachkov-Aleksandr, even I tried to implement mTLS between apisix and etcd using helm but was unsuccessful
```bash
helm upgrade --install apisix apisix/apisix --create-namespace --namespace apisix \
--set ingress-controller.enabled=true \
--set ingress-controller.config.apisix.serviceNamespace=apisix \
--set gateway.stream.enabled=true \
--set etcd.auth.tls.enabled=true \
--set etcd.auth.tls.existingSecret="mtls" \
--set etcd.auth.tls.certFileName="t/certs/mtls_client.crt" \
--set etcd.auth.tls.certKeyFilename="t/certs/mtls_client.key" \
--set gateway.tls.enabled=true \
--set gateway.tls.existingCASecret="ssl" \
--set gateway.tls.certCAFilename="t/certs/mtls_ca.crt"
```
You can take a look at this blog: https://blog.frankel.ch/mtls-everywhere/. It might help you.
Also, you might as well ask this question in the slack channel. You might get some help there.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] shreemaan-abhishek commented on issue #9381: help request: Error "lua_ssl_trusted_certificate" directive is duplicate in /usr/local/apisix/conf/nginx.conf:240
Posted by "shreemaan-abhishek (via GitHub)" <gi...@apache.org>.
shreemaan-abhishek commented on issue #9381:
URL: https://github.com/apache/apisix/issues/9381#issuecomment-1527491269
What did you do to enable mTLS with etcd?
Also, there is an unknown field `ssl_verify_depth: 2` in your config map. This field is not present in config-default.yaml. Maybe try removing it.
++ try installing apisix using helm charts by the way defined [here](https://apisix.apache.org/docs/helm-chart/apisix/).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] shreemaan-abhishek commented on issue #9381: help request: Error "lua_ssl_trusted_certificate" directive is duplicate in /usr/local/apisix/conf/nginx.conf:240
Posted by "shreemaan-abhishek (via GitHub)" <gi...@apache.org>.
shreemaan-abhishek commented on issue #9381:
URL: https://github.com/apache/apisix/issues/9381#issuecomment-1525986279
Could you please share the command that you used to install APISIX?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Sachkov-Aleksandr commented on issue #9381: help request: Error "lua_ssl_trusted_certificate" directive is duplicate in /usr/local/apisix/conf/nginx.conf:240
Posted by "Sachkov-Aleksandr (via GitHub)" <gi...@apache.org>.
Sachkov-Aleksandr commented on issue #9381:
URL: https://github.com/apache/apisix/issues/9381#issuecomment-1525524505
Below my APISIX configmap
`apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "apisix.fullname" . }}
namespace: {{ .Values.namespace }}
data:
config.yaml: |-
apisix: # universal configurations
enable_heartbeat: true
enable_admin: true
enable_admin_cors: true
enable_debug: true
enable_dev_mode: false # Sets nginx worker_processes to 1 if set to true
enable_reuseport: true # Enable nginx SO_REUSEPORT switch if set to true.
enable_ipv6: false # Enable nginx IPv6 resolver
enable_server_tokens: false # Whether the APISIX version number should be shown in Server header
proxy_cache: # Proxy Caching configuration
cache_ttl: 10s # The default caching time if the upstream does not specify the cache time
zones: # The parameters of a cache
- name: disk_cache_one # The name of the cache, administrator can be specify
# which cache to use by name in the admin api
memory_size: 50m # The size of shared memory, it's used to store the cache index
disk_size: 1G # The size of disk, it's used to store the cache data
disk_path: "/tmp/disk_cache_one" # The path to store the cache data
cache_levels: "1:2" # The hierarchy levels of a cache
router:
http: radixtree_uri # radixtree_uri: match route by uri(base on radixtree)
# radixtree_host_uri: match route by host + uri(base on radixtree)
# radixtree_uri_with_parameter: match route by uri with parameters
ssl: 'radixtree_sni' # radixtree_sni: match route by SNI(base on radixtree)
dns_resolver_valid: 30
resolver_timeout: 5
ssl:
enable: true
listen:
- port: 9443
enable_http2: true
ssl_protocols: "TLSv1.2 TLSv1.3"
ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl_trusted_certificate: "/usr/local/apisix/conf/ssl/ca.crt"
ssl_verify_depth: 2
nginx_config: # config for render the template to genarate nginx.conf
error_log: "/dev/stderr"
error_log_level: "error" # warn,error
worker_processes: "auto"
enable_cpu_affinity: true
worker_rlimit_nofile: 20480 # the number of files a worker process can open, should be larger than worker_connections
event:
worker_connections: 10620
http:
enable_access_log: true
access_log: "/dev/stdout"
access_log_format: '$remote_addr - $remote_user [$time_local] $http_host \"$request\" $status $body_bytes_sent $request_time \"$http_referer\" \"$http_user_agent\" $upstream_addr $upstream_status $upstream_response_time \"$upstream_scheme://$upstream_host$upstream_uri\"'
access_log_format_escape: default
keepalive_timeout: 60s # timeout during which a keep-alive client connection will stay open on the server side.
client_header_timeout: 60s # timeout for reading client request header, then 408 (Request Time-out) error is returned to the client
client_body_timeout: 60s # timeout for reading client request body, then 408 (Request Time-out) error is returned to the client
send_timeout: 10s # timeout for transmitting a response to the client.then the connection is closed
underscores_in_headers: "on" # default enables the use of underscores in client request header fields
real_ip_header: "X-Real-IP" # http://nginx.org/en/docs/http/ngx_http_realip_module.html#real_ip_header
real_ip_from: # http://nginx.org/en/docs/http/ngx_http_realip_module.html#set_real_ip_from
- 127.0.0.1
- 'unix:'
discovery:
plugins: # plugin list
- api-breaker
- authz-keycloak
- basic-auth
- batch-requests
- body-transformer
- consumer-restriction
- cors
- echo
- fault-injection
- file-logger
- grpc-transcode
- grpc-web
- hmac-auth
- http-logger
- ip-restriction
- ua-restriction
- jwt-auth
- kafka-logger
- key-auth
- limit-conn
- limit-count
- limit-req
- node-status
- openid-connect
- authz-casbin
- prometheus
- proxy-cache
- proxy-mirror
- proxy-rewrite
- redirect
- referer-restriction
- request-id
- request-validation
- response-rewrite
- serverless-post-function
- serverless-pre-function
- sls-logger
- syslog
- tcp-logger
- udp-logger
- uri-blocker
- wolf-rbac
- zipkin
- traffic-split
- gzip
- real-ip
- ext-plugin-pre-req
- ext-plugin-post-req
stream_plugins:
- mqtt-proxy
- ip-restriction
- limit-conn
deployment:
role: control_plane
role_control_plane:
config_provider: etcd
conf_server:
listen: 0.0.0.0:9280
cert: "/conf-server-ssl/tls.crt"
cert_key: "/conf-server-ssl/tls.key"
client_ca_cert: "/conf-ca-ssl/ca.crt"
admin:
allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
- 0.0.0.0/0
# - "::/64"
admin_listen:
ip: 0.0.0.0
port: 9180
admin_key:
# admin: can everything for configuration data
- name: "admin"
key: edd1c9f034335f136f87ad84b625c8f1
role: admin
# viewer: only can view configuration data
- name: "viewer"
key: 4054f7cf07e344346cd3f287985e76a2
role: viewer
etcd:
host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster.
- "https://etcd.apisix.svc.cluster.local:2379" # multiple etcd address
prefix: "/apisix" # configuration prefix in etcd
timeout: 30 # 30 seconds
tls:
cert: "/etcd-ssl/tls.crt"
key: "/etcd-ssl/tls.key"
verify: true
sni: "etcd.apisix.svc.cluster.local"
certs:
cert: "/conf-client-ssl/tls.crt"
cert_key: "/conf-client-ssl/tls.key"
trusted_ca_cert: "/conf-ca-ssl/ca.crt"
`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Sachkov-Aleksandr commented on issue #9381: help request: Error "lua_ssl_trusted_certificate" directive is duplicate in /usr/local/apisix/conf/nginx.conf:240
Posted by "Sachkov-Aleksandr (via GitHub)" <gi...@apache.org>.
Sachkov-Aleksandr commented on issue #9381:
URL: https://github.com/apache/apisix/issues/9381#issuecomment-1546537410
> @Sachkov-Aleksandr, even I tried to implement mTLS between apisix and etcd using helm but was unsuccessful
>
> ```shell
> helm upgrade --install apisix apisix/apisix --create-namespace --namespace apisix \
> --set ingress-controller.enabled=true \
> --set ingress-controller.config.apisix.serviceNamespace=apisix \
> --set gateway.stream.enabled=true \
> --set etcd.auth.tls.enabled=true \
> --set etcd.auth.tls.existingSecret="mtls" \
> --set etcd.auth.tls.certFileName="t/certs/mtls_client.crt" \
> --set etcd.auth.tls.certKeyFilename="t/certs/mtls_client.key" \
> --set gateway.tls.enabled=true \
> --set gateway.tls.existingCASecret="ssl" \
> --set gateway.tls.certCAFilename="t/certs/mtls_ca.crt"
> ```
>
> You can take a look at this blog: https://blog.frankel.ch/mtls-everywhere/. It might help you.
>
> Also, you might as well ask this question in the slack channel. You might get some help there.
Can you give me link on Slack channel?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] monkeyDluffy6017 closed issue #9381: help request: Error "lua_ssl_trusted_certificate" directive is duplicate in /usr/local/apisix/conf/nginx.conf:240
Posted by "monkeyDluffy6017 (via GitHub)" <gi...@apache.org>.
monkeyDluffy6017 closed issue #9381: help request: Error "lua_ssl_trusted_certificate" directive is duplicate in /usr/local/apisix/conf/nginx.conf:240
URL: https://github.com/apache/apisix/issues/9381
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] shreemaan-abhishek commented on issue #9381: help request: Error "lua_ssl_trusted_certificate" directive is duplicate in /usr/local/apisix/conf/nginx.conf:240
Posted by "shreemaan-abhishek (via GitHub)" <gi...@apache.org>.
shreemaan-abhishek commented on issue #9381:
URL: https://github.com/apache/apisix/issues/9381#issuecomment-1546538856
https://join.slack.com/t/the-asf/shared_invite/zt-1vf0j8c9c-YBzmRKvB0X4Ear0eZG04Rw
On Sat, 13 May 2023 at 11:23, Aleksandr Sachkov ***@***.***>
wrote:
> @Sachkov-Aleksandr <https://github.com/Sachkov-Aleksandr>, even I tried
> to implement mTLS between apisix and etcd using helm but was unsuccessful
>
> helm upgrade --install apisix apisix/apisix --create-namespace --namespace apisix \
> --set ingress-controller.enabled=true \
> --set ingress-controller.config.apisix.serviceNamespace=apisix \
> --set gateway.stream.enabled=true \
> --set etcd.auth.tls.enabled=true \
> --set etcd.auth.tls.existingSecret="mtls" \
> --set etcd.auth.tls.certFileName="t/certs/mtls_client.crt" \
> --set etcd.auth.tls.certKeyFilename="t/certs/mtls_client.key" \
> --set gateway.tls.enabled=true \
> --set gateway.tls.existingCASecret="ssl" \
> --set gateway.tls.certCAFilename="t/certs/mtls_ca.crt"
>
> You can take a look at this blog: https://blog.frankel.ch/mtls-everywhere/.
> It might help you.
>
> Also, you might as well ask this question in the slack channel. You might
> get some help there.
>
> Can you give me link on Slack channel?
>
> —
> Reply to this email directly, view it on GitHub
> <https://github.com/apache/apisix/issues/9381#issuecomment-1546537410>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AOV6RSESQVYSOXO2SJ6Z2Z3XF4OUHANCNFSM6AAAAAAXNW3TLY>
> .
> You are receiving this because you commented.Message ID:
> ***@***.***>
>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Sn0rt commented on issue #9381: help request: Error "lua_ssl_trusted_certificate" directive is duplicate in /usr/local/apisix/conf/nginx.conf:240
Posted by "Sn0rt (via GitHub)" <gi...@apache.org>.
Sn0rt commented on issue #9381:
URL: https://github.com/apache/apisix/issues/9381#issuecomment-1647648632
@shreemaan-abhishek can I close this issue ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] Sachkov-Aleksandr commented on issue #9381: help request: Error "lua_ssl_trusted_certificate" directive is duplicate in /usr/local/apisix/conf/nginx.conf:240
Posted by "Sachkov-Aleksandr (via GitHub)" <gi...@apache.org>.
Sachkov-Aleksandr commented on issue #9381:
URL: https://github.com/apache/apisix/issues/9381#issuecomment-1533423445
> What did you do to enable mTLS with etcd?
>
> Also, there is an unknown field `ssl_verify_depth: 2` in your config map. This field is not present in config-default.yaml. Maybe try removing it.
>
> ++ try installing apisix using helm charts by the way defined [here](https://apisix.apache.org/docs/helm-chart/apisix/).
Thanks for the reply.
I include mtls in etcd via directives in Helm:
` client:
secureTransport: true
useAutoTLS: false
existingSecret: "etcd-client-secret"
enableAuthentication: true
certFilename: "tls.crt"
certKeyFilename: "tls.key"
caFilename: "ca.crt"
`
And than I enabled mtls in APISIX Helm via by specifying certificates:
`etcd:
enabled: false
host:
- https://etcd.apisix.svc.cluster.local:2379
user: ""
password: ""
prefix: "/apisix"
timeout: 30
auth:
rbac:
create: false
rootPassword: *************
tls:
enabled: true
existingSecret: "etcd-cp-secret"
certFilename: "tls.crt"
certKeyFilename: "tls.key"
verify: true
sni: ""`
I removed the field ssl_verify_depth:2 directive but it didn't give a result.
I will also note that initially I installed the chart via Helm, specifying certificates in values and received the same error except for one moment - I also set etcd separately.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@apisix.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org