Self-signed certificate error upon hitting proxy-URL in kong

[KDTEC]

Is there an existing issue for this?

• [X] I have searched the existing issues

Kong version ($ kong version)

3.7.1.2

Current Behavior

I have installed kong in hybrid mode in my Kubernetes cluster:

This is the control-plane.yaml:

flavor: helm_simple metadata: {} kind: helm provided: false disabled: false version: '0.1' spec: helm: namespace: default repository: 'https://charts.konghq.com' wait: false recreate_pods: false chart: kong values: ingressController: enabled: false image: repository: kong/kong-gateway tag: 3.7.1.2 secretVolumes:

• kong-cluster-cert
• kong-proxy-cert env: role: control_plane cluster_cert: /etc/secrets/kong-cluster-cert/fullchain.crt cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key database: postgres cluster_mtls: pki pg_database: postgres pg_user: '${postgres.postgres-kong.out.interfaces.reader.username}' pg_password: '${postgres.postgres-kong.out.interfaces.writer.password}' pg_host: '${postgres.postgres-kong.out.interfaces.writer.host}' pg_ssl: 'on' password: admin cluster_ca_cert: /etc/secrets/kong-cluster-cert/ca-cert.pem pg_schema: '' admin_gui_url: 'https://kong-manager-dev-ksa-01.example.com' admin_gui_api_url: 'https://kong-admin-dev-ksa-01.example.com' admin_gui_session_conf: '{"secret":"secret","storage":"postgres","cookie_secure":true}' enterprise: enabled: true license_secret: kong-enterprise-license vitals: enabled: true rbac: enabled: true admin_gui_auth: basic-auth session_conf_secret: kong admin: enabled: true http: enabled: true type: ClusterIP tls: enabled: false cluster: enabled: true tls: enabled: true clustertelemetry: enabled: true tls: enabled: true manager: enabled: true type: ClusterIP http: enabled: true tls: enabled: false proxy: enabled: false

This is my data-plane.yaml:

flavor: helm_simple metadata: {} kind: helm provided: false disabled: false version: '0.1' spec: helm: namespace: default repository: 'https://charts.konghq.com' wait: false recreate_pods: false chart: kong values: ingressController: enabled: false image: repository: kong/kong-gateway tag: 3.7.1.2 secretVolumes:

• kong-cluster-cert env: role: data_plane database: 'off' cluster_control_plane: 'kong-cp-kong-cluster.default.svc.cluster.local:8005' cluster_telemetry_endpoint: 'kong-cp-kong-clustertelemetry.default.svc.cluster.local:8006' lua_ssl_trusted_certificate: /etc/secrets/kong-cluster-cert/ca-cert.pem cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key cluster_ca_cert: /etc/secrets/kong-cluster-cert/ca-cert.pem cluster_mtls: pki cluster_server_name: kong-admin-dev-ksa-01.example.com log_level: debug proxy_listen: '0.0.0.0:8000, 0.0.0.0:8443 ssl' proxy_ssl_cert: /etc/secrets/kong-cluster-cert/tls.crt proxy_ssl_cert_key: /etc/secrets/kong-cluster-cert/tls.key enterprise: enabled: true license_secret: kong-enterprise-license proxy: enabled: true admin: enabled: false manager: enabled: false

I have uploaded my CA-signed go daddy certificate as a Kubernetes secret. I could also see the certificates at /etc/secrets/kong-cluster-cert inside my pods. But Upon hitting my https://kong-proxy-dev-ksa-01.example.com/service/api-endpoint, I am getting self-signed notification in my postman, along with the correct api response. which means it is not referring to my CA-signed certificate and still using the self signed certificate.

My kong-admin API and kong-manager GUI are working perfectly fine Both my kong-control plane and kong-data-plane are in the same namespace “default” The CN of my CA-signed certificate is: *.example.com

What am I missing here. Please help!!!

Expected Behavior

No response

Steps To Reproduce

No response

Anything else?

No response

[chobits]

Please show your client reported error, especially like curl -sv -o /dev/null ... results.

If your nginx error log has some information associated to SSL/verification, please post them here.

[chobits]

And also I think this might not be a kong problem if it is related to cert verification, you could create a minimal case to test your ceritifcate verfication problem, like using nginx: https://nginx.org/en/docs/http/configuring_https_servers.html

[KDTEC]

So the issue is resolved now. I can't say it was a certificate issue. What I did different this time is used the kong ingress controller. And 1 major change: inside the data-plane configuration yaml:

I changed the ports to 443 from 8005 and 8006 respectively.

This helps in establishing connection between dataplane and control plane nodes since I am running kong in hybrid mode.

"cluster_control_plane": "kong-cluster-dev-ksa-01.example.com:443",
"cluster_telemetry_endpoint": "kong-clustertelemetry-dev-ksa-01.example.com:443",