What is the purpose of KONG_LUA_SSL_TRUSTED_CERTIFICATE with Kong Docker in DBless mode?

[alexandruhog]

Hello everyone. I have been trying for 2 days to enable the ACME Plugin, but with no good results. I didn't understand exactly what value this env KONG_LUA_SSL_TRUSTED_CERTIFICATE is supposed to have? This is my .yml for kong docker:

reverse-proxy:                                                    
  image: kong:latest                                              
  volumes:                                                        
    - load-balancer-kong-nfs:/usr/local/kong/declarative          
  ports:                                                          
    - 80:8000                                                     
    - 443:8443                                                    
    - 8001:8001                                                   
    - 8444:8444                                                   
  environment:                                                    
    KONG_DATABASE: 'off'                                          
    KONG_DECLARATIVE_CONFIG: /usr/local/kong/declarative/kong.yml 
    KONG_PROXY_ACCESS_LOG: /dev/stdout                            
    KONG_ADMIN_ACCESS_LOG: /dev/stdout                            
    KONG_PROXY_ERROR_LOG: /dev/stderr                             
    KONG_ADMIN_ERROR_LOG: /dev/stderr                             
    KONG_ADMIN_LISTEN: 0.0.0.0:8001, 0.0.0.0:8444 ssl             
  deploy:                                                         
    placement:                                                    
      constraints: [node.role == manager]                         

I have succesfuly set up TLS Termination with Kong by using the old way, with "Certificates" object, but I would love to use the new Acme Plugin. Please help me.

Thank you in advance!

[fffonion]

@alexandruhog kong:latest is built on alpine, in that case you will need KONG_LUA_SSL_TRUSTED_CERTIFICATE to be /etc/ssl/cert.pem

[alexandruhog]

Ok, thank you, but what should this file "/etc/ssl/cert.pem" be used for? I mean, do I have to pass a .pem file at the building time of the container, or what?

[fffonion]

@alexandruhog that will be the CA certificates bundle that the plugin used to validate Let's Encrypt API. This pem is already included in the kong image, you don't need to provide it by your own.

[alexandruhog]

Oh my God, thank you so much, I ve been hurting my head over the internet in the past 2 days in vain. One more question, regarding the .yml for configuration. Is this valid (ignoring the lack of config.storage_config options).

_format_version: "1.1"

services:
  - name: dummy-server-lb
    url: http://dummy-server_api-gateway:8000
    routes:
      - name: dummy-server-api-gateway
        hosts:
          - dns1.dummy.server
          - dns2.dummy.server
        preserve_host: true
        paths:
          - /

  - name: dns1-acme-dummy
    url: http://127.0.0.1:65535
    routes:
      - name: dns1-dummy-routes
        paths:
          - /.well-known/acme-challenge
        hosts:
          - dns1.dummy.server

  - name: dns2-acme-dummy
    url: http://127.0.0.1:65535
    routes:
      - name: dns2-dummy-routes
        paths:
          - /.well-known/acme-challenge
        hosts:
          - dns2.dummy.server

plugins:
  - name: acme
    config:
      account_email: mail@mail.com
      domains:
        - dns1.dummy.server
        - dns2.dummy.server
      tos_accepted: true

Thank you very, very much!

[fffonion]

@alexandruhog since you already have a catch-all route:

services:
  - name: dummy-server-lb
    url: http://dummy-server_api-gateway:8000
    routes:
      - name: dummy-server-api-gateway
        hosts:
          - dns1.dummy.server
          - dns2.dummy.server
        preserve_host: true
        paths:
          - / # here including /.well-known/acme-challenge

there's actually no need to add dns1-acme-dummy and dns2-acme-dummy.

Also kong nation can be a good resource as well in case you got stuck next time : )

[alexandruhog]

Thank you very much for your time. I recently started to play with Kong and I didn't know a better place to address this question. Thank you, it is all clear now. I will close the issue :)