-
Notifications
You must be signed in to change notification settings - Fork 524
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bug: 3.7.0 版本通过apisix-dashboard 创建的证书,会报找不到SNI #2915
Comments
please use english in your issue description and title. |
i have reproduce , i will try to debug it . |
i get the root cause, because apisix v3.7.0 remove validity_end and validity_start so if you import ssl cert at apisix v3.6.0 then ssl cert save to etcd contain properties : validity_end and validity_start .
so i suggest you reimport ssl cert at apisix v3.7.0 and make sure no properties validity_end and validity_start store in etcd. |
@hanqingwu thanks for the insight. @lan11 could you please check if the above solution helps? |
Hope to identify in all> = 3.7 documents |
apisix 3.2.0 and 3.2.2,dashboard 3.0.1 have same question。 |
can we support this change? The question is how to make it compatible with 3.7 and below or launch a new version? |
Here is quick fix. Tested with apisix-3.9.1
|
Do you mean for me to use apisix version 3.9.1? |
No, I only tested with 3.9.1. But I think this patch also can be works with apisix-3.6 or new versions. |
Please see if you can provide the source file? |
I send the PR. But I'm not sure will be accept and merge into main branch. |
通过apisix-dashboard 页面导入证书(泛域名证书),会保找不到对应域名SNI, 将证书内容复制出来,通过 http://127.0.0.1:9180/apisix/admin/ssls/1 导入,可以正常使用 |
we are the same 3.9.0 |
we are the same 3.8.0 |
we are the same 3.10.0 |
Current Behavior
通过apisix-dashboard 页面导入证书(泛域名证书),会保找不到对应域名SNI, 将证书内容复制出来,通过 http://127.0.0.1:9180/apisix/admin/ssls/1 导入,可以正常使用. 同时发现版本下降到3.6.0 ,上述dashboard 页面操作没有发现该问题
Expected Behavior
No response
Error Logs
[error] 48#48: 737 [lua] init.lua:213: http_ssl_client_hello_phase(): failed to match any SSL certificate by SNI: test.ydact.cn, context: ssl_client_hello_by_lua, client: 192.168.205.100, server: 0.0.0.0:443
Steps to Reproduce
1.运行docker
2.通过dashboard 页面导入泛域名证书
3.访问域名会报错,查看apisix日志会报找到证书SNI
4.将证书通过管理接口导入,访问域名正常
5.将apisix版本下降到3.6.0.页面导入证书,访问网站正常
Environment
docker 运行 apache/apisix:3.7.0-debian 和 apache/apisix-dashboard:3.0.1-alpine,bitnami/etcd:3.4.15
The text was updated successfully, but these errors were encountered: