Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

request help: After put my SSL certificate to apisix ,I curl https and then meet some problem #2791

Closed
Hmemories opened this issue Nov 19, 2020 · 19 comments · Fixed by #2815
Closed

request help: After put my SSL certificate to apisix ,I curl https and then meet some problem #2791

Hmemories opened this issue Nov 19, 2020 · 19 comments · Fixed by #2815

Comments

@Hmemories
Copy link

Issue description

image
image
image

Environment

  • apisix version (cmd: apisix version): 2.0
  • OS: mac
@Hmemories
Copy link
Author

I configured SSL locally and access failed

@tokers
Copy link
Contributor

tokers commented Nov 19, 2020

Is this certificate signed self?

@Hmemories
Copy link
Author

Yes

@tokers
Copy link
Contributor

tokers commented Nov 19, 2020

Yes

Then that's an expected behavior, you may add the -k option to ignore the certificate verification.

@starsz
Copy link
Contributor

starsz commented Nov 19, 2020

Hi, @Hmemories, have you checked your error log?

@Hmemories
Copy link
Author

@starsz I saw anything unusual error.log
image

@starsz
Copy link
Contributor

starsz commented Nov 19, 2020

Hi, @Hmemories, have you put your SSL certificate to apisix before? Or maybe you can check this by doing

etcdctl get /apisix/ssl --prefix --keys-only

See: https://github.com/apache/apisix/blob/master/doc/admin-api.md#ssl

In addition, I think it shouldn't cause Lua's thread to abort.

@Hmemories
Copy link
Author

I found that key changed to nil through Base64
image
SSL certificate was put in etcd
image
image

@starsz
Copy link
Contributor

starsz commented Nov 19, 2020

Hi, @Hmemories, I think you should put the SSL certificate with

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

@Hmemories
Copy link
Author

Here is my SSL certificate
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAshFIfimTMxtgifJsLZuIRW+OFipzscVzoK3H73JvQx4V4POd
NQz4SV2ok59fgFywIAzDHRCm5Uhs51LIAJUuQmoDZbJffBk8SNtwpIyTpjJYrsx0
cxtq4wm8MPssc4lu/i2Isx5iKI0iorw8UNhGnRFT0gHDOjSijW5LH8RvM5P21UmP
Nw8NtLaAfe+B4kGFqEZX5js+BPdo9ahnzLWok5PAn6HICFR+ojIGjvoOY7+0a7vX
oDignWfsDVAg3/bzaIkKrrBc5A6h3SChxM4AOFXYLmp7ndfeliFWJCvc0WySTXAg
9StZUfawkTt/z43cCkSWvpF42jmFx9LR5gqHUwIDAQABAoIBAD26jhXmVbgO0o2f
s26wDzJ69JesicTjvSzDcZ8JXZa31D/SU/ozD9NnG2xpgFLgTtIdenoV7rVnQRGD
+f9xt8KgO6NCjaVYnjRnlgoFDZ48r8+Q4wGQTKJ+GnYkbIl06DxHDq+BZefG3W3q
sUIZZ4lFm3ge0k3YN02uIW7WyvHm0k9vc19IZIZnLVRtiHPE++znSgIj6a1CDvkF
CI5hNGzR3eRM7S5DgZq769J2AvJI+EfvRPfTopOlQE4IZqoxO6+pWmVcBcLdyuGL
OUlj0RCueTreDtnwemtW0MRx5jAloUXrPFoxXhefkBnR9JxTwD2KuWJ74d1S1hJI
FcIid5kCgYEA1nangqmAJXN4oEBeeEHrlRd3slZPULaNKMs//mZ1zpb5Nw0fcUQD
y3D2Z4vGYDitQsn7YJKNIgPdTCMp+BogHDdBXfFuZLbWAqnB1SaxqXOpCFcJ2swt
PXspHRFFFVgJSwgRVU87ivEFiH+YZgi2nYsRXao1peiNLz6RYC/x9g0CgYEA1I4T
DDfJwF46A5TrHbyI64ezPmL5WW7ewp2XH25R8GMvZ03aycF05+bbhT/TfcHUNCpZ
S6ADYZTMsKrH0303qzP4/SyatzS99c2ycb6m3SViElG8CcgKM4lQxDh+4VKa5JzQ
+Ny8luUH1L+MYRyksGQ8ZWIjrrE2NcdI5zlPet8CgYAAooVIa7wHYFohD0+4R2mt
HU6rZnoBoSi10DQ2SpNaszO1qAJJ0Yu5VHJGSDGkI0bQBc0KsiRcz2oeSZRcOaeS
rc8xuf87qRblFx+Nw/mOqNr9PVS4IxaXMgAjJ+Pudj5AzJtQh1WDycbcapRG6Qux
V7ILdu+FuDSCyUqg4EN1GQKBgFP8GyydsnrvAE8//TKPty4RPVKuOsYKl7wgFoFV
zsyD9EwGKCfF59JllmFtGby75IQEI6pM/GkHKWW45SH8fQ2JiJ1IjY1MKq6/6v0k
jrwctEZ2wyy+PMGmRSJzDDcts4QXLj7WwTGCJ3j5gpcwgSYtROvuPhkdbkULjBPI
wk3TAoGAa2sv24sGQxQofu/IjPx/OeJJSTQt4MxT3uQFGO4XDv3rbh4gV1DZ0bHV
VbZFb0XFkTXBoY3QGwTCxVmX/1AA5+aV4GoJOYsUjhxBMRGszf0oASwfcHdw6ZPv
gcffre5rKntdZGkJQ8eNoM9ZGGMNz0qKUuimHSc3Cluaj58WXzI=
-----END RSA PRIVATE KEY-----

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAshFIfimTMxtgifJsLZuI
RW+OFipzscVzoK3H73JvQx4V4POdNQz4SV2ok59fgFywIAzDHRCm5Uhs51LIAJUu
QmoDZbJffBk8SNtwpIyTpjJYrsx0cxtq4wm8MPssc4lu/i2Isx5iKI0iorw8UNhG
nRFT0gHDOjSijW5LH8RvM5P21UmPNw8NtLaAfe+B4kGFqEZX5js+BPdo9ahnzLWo
k5PAn6HICFR+ojIGjvoOY7+0a7vXoDignWfsDVAg3/bzaIkKrrBc5A6h3SChxM4A
OFXYLmp7ndfeliFWJCvc0WySTXAg9StZUfawkTt/z43cCkSWvpF42jmFx9LR5gqH
UwIDAQAB
-----END PUBLIC KEY-----

@starsz
Copy link
Contributor

starsz commented Nov 19, 2020
edited
Loading

Hi, @Hmemories. You may have failed to get my point.
What I mean is that, when you put your SSL certificate through /apisix/admin/ssl/{id},
the cert and key field in the request body should contain

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

Like this, Just put all the content in the SSL certificate to apisix.

curl http://127.0.0.1:9080/apisix/admin/ssl/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
    "cert": "-----BEGIN CERTIFICATE-----
      ... 
-----END CERTIFICATE-----",
    "key": "-----BEGIN RSA PRIVATE KEY-----
     ....
-----END RSA PRIVATE KEY-----",
    "sni": "test.com"
}'

@idbeta
Copy link
Contributor

idbeta commented Nov 19, 2020
edited
Loading

why don't you add a title for your issue?
It’s difficult to use curl to send the certificate content here. I suggest you use python, like the following

pem = '''-----BEGIN CERTIFICATE-----
... ...
-----END CERTIFICATE-----'''

key = '''-----BEGIN RSA PRIVATE KEY-----
... ...
-----END RSA PRIVATE KEY-----'''

cdata = {
    "id": "1",
    "cert": pem,
    "key": key,
    "snis": ["xxxx.org"]
}

headers = {
    "X-API-KEY": "edd1c9f034335f136f87ad84b625c8f1"
}

r = requests.put("http://127.0.0.1:9080/apisix/admin/ssl/1",json = cdata,headers=headers)
print(r.text)

my env is master branch, it was working well

$ curl https://shaoyaoju.org:9443 -v
* Rebuilt URL to: https://shaoyaoju.org:9443/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 7890 (#0)
* Establish HTTP proxy tunnel to shaoyaoju.org:9443
> CONNECT shaoyaoju.org:9443 HTTP/1.1
> Host: shaoyaoju.org:9443
> User-Agent: curl/7.54.0
> Proxy-Connection: Keep-Alive
> 
< HTTP/1.1 200 Connection established
< 
* Proxy replied OK to CONNECT request
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):

* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: self signed certificate
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate

@Hmemories
Copy link
Author

@starsz ok
curl http://127.0.0.1:9080/apisix/admin/ssl/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"cert": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAshFIfimTMxtgifJsLZuI
RW+OFipzscVzoK3H73JvQx4V4POdNQz4SV2ok59fgFywIAzDHRCm5Uhs51LIAJUu
QmoDZbJffBk8SNtwpIyTpjJYrsx0cxtq4wm8MPssc4lu/i2Isx5iKI0iorw8UNhG
nRFT0gHDOjSijW5LH8RvM5P21UmPNw8NtLaAfe+B4kGFqEZX5js+BPdo9ahnzLWo
k5PAn6HICFR+ojIGjvoOY7+0a7vXoDignWfsDVAg3/bzaIkKrrBc5A6h3SChxM4A
OFXYLmp7ndfeliFWJCvc0WySTXAg9StZUfawkTt/z43cCkSWvpF42jmFx9LR5gqH
UwIDAQAB",
"key": "MIIEogIBAAKCAQEAshFIfimTMxtgifJsLZuIRW+OFipzscVzoK3H73JvQx4V4POd
NQz4SV2ok59fgFywIAzDHRCm5Uhs51LIAJUuQmoDZbJffBk8SNtwpIyTpjJYrsx0
cxtq4wm8MPssc4lu/i2Isx5iKI0iorw8UNhGnRFT0gHDOjSijW5LH8RvM5P21UmP
Nw8NtLaAfe+B4kGFqEZX5js+BPdo9ahnzLWok5PAn6HICFR+ojIGjvoOY7+0a7vX
oDignWfsDVAg3/bzaIkKrrBc5A6h3SChxM4AOFXYLmp7ndfeliFWJCvc0WySTXAg
9StZUfawkTt/z43cCkSWvpF42jmFx9LR5gqHUwIDAQABAoIBAD26jhXmVbgO0o2f
s26wDzJ69JesicTjvSzDcZ8JXZa31D/SU/ozD9NnG2xpgFLgTtIdenoV7rVnQRGD
+f9xt8KgO6NCjaVYnjRnlgoFDZ48r8+Q4wGQTKJ+GnYkbIl06DxHDq+BZefG3W3q
sUIZZ4lFm3ge0k3YN02uIW7WyvHm0k9vc19IZIZnLVRtiHPE++znSgIj6a1CDvkF
CI5hNGzR3eRM7S5DgZq769J2AvJI+EfvRPfTopOlQE4IZqoxO6+pWmVcBcLdyuGL
OUlj0RCueTreDtnwemtW0MRx5jAloUXrPFoxXhefkBnR9JxTwD2KuWJ74d1S1hJI
FcIid5kCgYEA1nangqmAJXN4oEBeeEHrlRd3slZPULaNKMs//mZ1zpb5Nw0fcUQD
y3D2Z4vGYDitQsn7YJKNIgPdTCMp+BogHDdBXfFuZLbWAqnB1SaxqXOpCFcJ2swt
PXspHRFFFVgJSwgRVU87ivEFiH+YZgi2nYsRXao1peiNLz6RYC/x9g0CgYEA1I4T
DDfJwF46A5TrHbyI64ezPmL5WW7ewp2XH25R8GMvZ03aycF05+bbhT/TfcHUNCpZ
S6ADYZTMsKrH0303qzP4/SyatzS99c2ycb6m3SViElG8CcgKM4lQxDh+4VKa5JzQ
+Ny8luUH1L+MYRyksGQ8ZWIjrrE2NcdI5zlPet8CgYAAooVIa7wHYFohD0+4R2mt
HU6rZnoBoSi10DQ2SpNaszO1qAJJ0Yu5VHJGSDGkI0bQBc0KsiRcz2oeSZRcOaeS
rc8xuf87qRblFx+Nw/mOqNr9PVS4IxaXMgAjJ+Pudj5AzJtQh1WDycbcapRG6Qux
V7ILdu+FuDSCyUqg4EN1GQKBgFP8GyydsnrvAE8//TKPty4RPVKuOsYKl7wgFoFV
zsyD9EwGKCfF59JllmFtGby75IQEI6pM/GkHKWW45SH8fQ2JiJ1IjY1MKq6/6v0k
jrwctEZ2wyy+PMGmRSJzDDcts4QXLj7WwTGCJ3j5gpcwgSYtROvuPhkdbkULjBPI
wk3TAoGAa2sv24sGQxQofu/IjPx/OeJJSTQt4MxT3uQFGO4XDv3rbh4gV1DZ0bHV
VbZFb0XFkTXBoY3QGwTCxVmX/1AA5+aV4GoJOYsUjhxBMRGszf0oASwfcHdw6ZPv
gcffre5rKntdZGkJQ8eNoM9ZGGMNz0qKUuimHSc3Cluaj58WXzI=",
"sni": "test.com"
}'

@Hmemories Hmemories changed the title request help: request help: After put my SSL certificate to apisix ,I curl https and then meet some problem Nov 19, 2020
@Hmemories
Copy link
Author

@idbeta ok ,I'll try

@starsz
Copy link
Contributor

starsz commented Nov 19, 2020
edited
Loading

@Hmemories Like this:

curl http://127.0.0.1:9080/apisix/admin/ssl/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"cert": "-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAshFIfimTMxtgifJsLZuI
RW+OFipzscVzoK3H73JvQx4V4POdNQz4SV2ok59fgFywIAzDHRCm5Uhs51LIAJUu
QmoDZbJffBk8SNtwpIyTpjJYrsx0cxtq4wm8MPssc4lu/i2Isx5iKI0iorw8UNhG
nRFT0gHDOjSijW5LH8RvM5P21UmPNw8NtLaAfe+B4kGFqEZX5js+BPdo9ahnzLWo
k5PAn6HICFR+ojIGjvoOY7+0a7vXoDignWfsDVAg3/bzaIkKrrBc5A6h3SChxM4A
OFXYLmp7ndfeliFWJCvc0WySTXAg9StZUfawkTt/z43cCkSWvpF42jmFx9LR5gqH
UwIDAQAB
-----END PUBLIC KEY-----",
"key": "-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAshFIfimTMxtgifJsLZuIRW+OFipzscVzoK3H73JvQx4V4POd
NQz4SV2ok59fgFywIAzDHRCm5Uhs51LIAJUuQmoDZbJffBk8SNtwpIyTpjJYrsx0
cxtq4wm8MPssc4lu/i2Isx5iKI0iorw8UNhGnRFT0gHDOjSijW5LH8RvM5P21UmP
Nw8NtLaAfe+B4kGFqEZX5js+BPdo9ahnzLWok5PAn6HICFR+ojIGjvoOY7+0a7vX
oDignWfsDVAg3/bzaIkKrrBc5A6h3SChxM4AOFXYLmp7ndfeliFWJCvc0WySTXAg
9StZUfawkTt/z43cCkSWvpF42jmFx9LR5gqHUwIDAQABAoIBAD26jhXmVbgO0o2f
s26wDzJ69JesicTjvSzDcZ8JXZa31D/SU/ozD9NnG2xpgFLgTtIdenoV7rVnQRGD
+f9xt8KgO6NCjaVYnjRnlgoFDZ48r8+Q4wGQTKJ+GnYkbIl06DxHDq+BZefG3W3q
sUIZZ4lFm3ge0k3YN02uIW7WyvHm0k9vc19IZIZnLVRtiHPE++znSgIj6a1CDvkF
CI5hNGzR3eRM7S5DgZq769J2AvJI+EfvRPfTopOlQE4IZqoxO6+pWmVcBcLdyuGL
OUlj0RCueTreDtnwemtW0MRx5jAloUXrPFoxXhefkBnR9JxTwD2KuWJ74d1S1hJI
FcIid5kCgYEA1nangqmAJXN4oEBeeEHrlRd3slZPULaNKMs//mZ1zpb5Nw0fcUQD
y3D2Z4vGYDitQsn7YJKNIgPdTCMp+BogHDdBXfFuZLbWAqnB1SaxqXOpCFcJ2swt
PXspHRFFFVgJSwgRVU87ivEFiH+YZgi2nYsRXao1peiNLz6RYC/x9g0CgYEA1I4T
DDfJwF46A5TrHbyI64ezPmL5WW7ewp2XH25R8GMvZ03aycF05+bbhT/TfcHUNCpZ
S6ADYZTMsKrH0303qzP4/SyatzS99c2ycb6m3SViElG8CcgKM4lQxDh+4VKa5JzQ
+Ny8luUH1L+MYRyksGQ8ZWIjrrE2NcdI5zlPet8CgYAAooVIa7wHYFohD0+4R2mt
HU6rZnoBoSi10DQ2SpNaszO1qAJJ0Yu5VHJGSDGkI0bQBc0KsiRcz2oeSZRcOaeS
rc8xuf87qRblFx+Nw/mOqNr9PVS4IxaXMgAjJ+Pudj5AzJtQh1WDycbcapRG6Qux
V7ILdu+FuDSCyUqg4EN1GQKBgFP8GyydsnrvAE8//TKPty4RPVKuOsYKl7wgFoFV
zsyD9EwGKCfF59JllmFtGby75IQEI6pM/GkHKWW45SH8fQ2JiJ1IjY1MKq6/6v0k
jrwctEZ2wyy+PMGmRSJzDDcts4QXLj7WwTGCJ3j5gpcwgSYtROvuPhkdbkULjBPI
wk3TAoGAa2sv24sGQxQofu/IjPx/OeJJSTQt4MxT3uQFGO4XDv3rbh4gV1DZ0bHV
VbZFb0XFkTXBoY3QGwTCxVmX/1AA5+aV4GoJOYsUjhxBMRGszf0oASwfcHdw6ZPv
gcffre5rKntdZGkJQ8eNoM9ZGGMNz0qKUuimHSc3Cluaj58WXzI=
-----END RSA PRIVATE KEY-----",
"sni": "test.com"
}'

@Hmemories
Copy link
Author

@starsz ok, I got it

@Hmemories
Copy link
Author

@starsz I did it with you ,but it can‘t work
image

@starsz
Copy link
Contributor

starsz commented Nov 20, 2020

@Hmemories.Emmmm. You had only generated a private key yet.
And the next step, you should generate .csr and .crt by this key.
Finally, put the content in ".crt" and ".key" to apisix.

Maybe you should take some time on how to generate an SSL certificate.

@Hmemories
Copy link
Author

ok,thanks

starsz added a commit to starsz/apisix that referenced this issue Nov 22, 2020
@starsz
fix: check decrypt key to prevent lua thread aborted (apache#2791)
207dc83
This was referenced Nov 22, 2020
Merged
Closed
starsz added a commit to starsz/apisix that referenced this issue Nov 22, 2020
@starsz
fix: check decrypt key to prevent lua thread aborted (apache#2791)
0df47f0
starsz added a commit to starsz/apisix that referenced this issue Nov 22, 2020
@starsz
fix: check decrypt key to prevent lua thread aborted (apache#2791)
9e700e3
starsz added a commit to starsz/apisix that referenced this issue Nov 22, 2020
@starsz
fix: check decrypt key to prevent lua thread aborted (apache#2791)
afacc0e
starsz added a commit to starsz/apisix that referenced this issue Nov 23, 2020
@starsz
fix: check decrypt key to prevent lua thread aborted (apache#2791)
05378b3
starsz added a commit to starsz/apisix that referenced this issue Nov 23, 2020
@starsz
fix: check decrypt key to prevent lua thread aborted (apache#2791)
56aa1d6
starsz added a commit to starsz/apisix that referenced this issue Nov 23, 2020
@starsz
fix: check decrypt key to prevent lua thread aborted (apache#2791)
35a1623
@membphis membphis reopened this Nov 23, 2020
spacewander pushed a commit that referenced this issue Nov 24, 2020
@starsz
fix: check decrypt key to prevent lua thread aborted (#2815)
95226d9 
Fix #2791
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: check decrypt key to prevent lua thread aborted starsz/apisix
5 participants
@membphis @idbeta @tokers @starsz @Hmemories