You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by GitBox <gi...@apache.org> on 2020/12/01 04:20:59 UTC
[GitHub] [apisix] lihansir opened a new issue #2908: bug: use openid-connect plugin https error
lihansir opened a new issue #2908:
URL: https://github.com/apache/apisix/issues/2908
### Issue description
### Environment
* apisix version: 2.0
* OS: Centos7
### Minimal test code / Steps to reproduce the issue
1.use apisix-dashboard, create a route
2.enable openid-connect plugin, and fill in discovery、introspection_endpoint such as "https://xxxxx/oidc/.well-known/openid-configuration"、"https://xxxxx/oidc/token/introspection"
3.use postman to test the configured routing address
### What's the actual result? (including assertion message & call stack if applicable)
Http response status is 401,and the apisix log file has some error
/usr/local/apisix/logs/error.log:
2020/12/01 04:14:54 [error] 43#43: *573137 [lua] openidc.lua:502: call_token_endpoint(): accessing introspection endpoint (https://xxxxx/oidc/token/introspection) failed: 20: unable to get local issuer certificate, client: 10.10.10.10, server: , request: "GET / HTTP/1.1", host: "10.10.10.10:30794"
2020/12/01 04:14:54 [error] 43#43: *573137 [lua] openid-connect.lua:152: phase_func(): failed to introspect in openidc: accessing introspection endpoint (https://xxxxx/oidc/token/introspection) failed: 20: unable to get local issuer certificate, client: 10.10.10.10, server: , request: "GET / HTTP/1.1", host: "10.10.10.10:30794"
### What's the expected result?
I hope openid-connect plugin can support https
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] lihansir commented on issue #2908: bug: use openid-connect plugin https error
Posted by GitBox <gi...@apache.org>.
lihansir commented on issue #2908:
URL: https://github.com/apache/apisix/issues/2908#issuecomment-736341557
If you have anything to offer, please feel free to contact
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #2908: bug: use openid-connect plugin https error
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #2908:
URL: https://github.com/apache/apisix/issues/2908#issuecomment-736210106
The error message shows that APISIX doesn't trust the server's certificate.
What certificate used by https://xxxxx/oidc/token/introspection?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander closed issue #2908: bug: use openid-connect plugin https error
Posted by GitBox <gi...@apache.org>.
spacewander closed issue #2908:
URL: https://github.com/apache/apisix/issues/2908
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] lihansir commented on issue #2908: bug: use openid-connect plugin https error
Posted by GitBox <gi...@apache.org>.
lihansir commented on issue #2908:
URL: https://github.com/apache/apisix/issues/2908#issuecomment-736606169
I've done it myself
1、Install the necessary dependencies
yum install ca-certificates
update-ca-trust
2、Rename certificate
cp /etc/ssl/certs/ca-bundle.crt /etc/ssl/certs/ca-lua.pem
3、Modify the configuration file of nginx, config path : /usr/local/apisix/conf/nginx.conf
Add the following to the "http" tag:
lua_ssl_trusted_certificate '/etc/ssl/certs/ca-lua.pem’;
4、openresty -p /usr/local/apisix -s reload
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] lihansir removed a comment on issue #2908: bug: use openid-connect plugin https error
Posted by GitBox <gi...@apache.org>.
lihansir removed a comment on issue #2908:
URL: https://github.com/apache/apisix/issues/2908#issuecomment-736341766
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] spacewander commented on issue #2908: bug: use openid-connect plugin https error
Posted by GitBox <gi...@apache.org>.
spacewander commented on issue #2908:
URL: https://github.com/apache/apisix/issues/2908#issuecomment-736432044
Interesting. Is the `https://xxxxx/oidc/token/introspection` can be accessed publicly? I guess your machine may miss the root CA or intermediate certificate for Let's Encrypt. But since this is an environment problem, I can not do anything.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] lihansir commented on issue #2908: bug: use openid-connect plugin https error
Posted by GitBox <gi...@apache.org>.
lihansir commented on issue #2908:
URL: https://github.com/apache/apisix/issues/2908#issuecomment-736540161
Can I ignore the verification of certificates? How to do it?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] lihansir commented on issue #2908: bug: use openid-connect plugin https error
Posted by GitBox <gi...@apache.org>.
lihansir commented on issue #2908:
URL: https://github.com/apache/apisix/issues/2908#issuecomment-736341766
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [apisix] lihansir commented on issue #2908: bug: use openid-connect plugin https error
Posted by GitBox <gi...@apache.org>.
lihansir commented on issue #2908:
URL: https://github.com/apache/apisix/issues/2908#issuecomment-736342249
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org