Why my own SSL certificate does not work?

fancy512 commented 7 years ago

I added a custom certificate to kong, but it did not seem to work !

1.Use the following steps to create a custom certificate: a,openssl genrsa -des3 -out server.key 2048 b,openssl req -new -key server.key -out server.csr -sha256 c.cp server.key server.key.org d,openssl rsa -in server.key.org -out server.key e.openssl x509 -req -in server.csr -signkey server.key -out server.crt -sha256

2.Upload SSL certificate and key via the Admin API: curl -i -X POST http://localhost:8001/certificates \ -F "cert=@/usr/local/kong/ssla/server.crt" \ -F "key=@/usr/local/kong/ssla/server.key" \ -F "snis=api.com"

3.Add api: curl -i -X POST http://localhost:8001/apis \ -d "name=ssl-api" \ -d "upstream_url=http://my-api.com" \ -d "hosts=api.com"

4.Visit this api: curl -i -k -v https://localhost:8443/ \ -H "Host: api.com" There is a part of the response information: Connected to localhost (127.0.0.1) port 8443 (#0)

found 174 certificates in /etc/ssl/certs/ca-certificates.crt
found 698 certificates in /etc/ssl/certs
ALPN, offering http/1.1
SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
server certificate verification SKIPPED
server certificate status verification SKIPPED
common name: localhost (matched)
server certificate expiration date OK
server certificate activation date OK
certificate public key: RSA
certificate version: #1
subject: C=US,ST=California,L=San Francisco,O=Kong,OU=IT Department,CN=localhost
start date: Mon, 13 Mar 2017 01:45:51 GMT
expire date: Wed, 12 Apr 2017 01:45:51 GMT
issuer: C=US,ST=California,L=San Francisco,O=Kong,OU=IT Department,CN=localhost
compression: NULL
ALPN, server accepted to use http/1.1

Based on this information I found that my custom certificate does not seem to work , Then I checked the kong default path '' / usr / local / ssl '' under the certificate, through the command: '' openssl x509 -in admin-kong-default.crt -text -noout ''. Then I got some messages: Certificate: Data: Version: 1 (0x0) Serial Number: 14431384435248772324 (0xc84693aee01ab4e4) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=California, L=San Francisco, O=Kong, OU=IT Department, CN=localhost Validity Not Before: Mar 13 01:45:51 2017 GMT Not After : Apr 12 01:45:51 2017 GMT Subject: C=US, ST=California, L=San Francisco, O=Kong, OU=IT Department, CN=localhost

This time I feel my certificate seems to have no effect, the work seems to be kong default certificate, I do not know my order is not in addition to the problem. I did not change any configuration file, are the default, configuration Does the file need to be changed ?

Thank you !

Kong version 0.10.0

trevortao commented 7 years ago

Hi Fancy: I have used Kong for a long time ago and maybe I have forgotten the actual reason for this issue. After some initial thought on your issue, I think maybe you should access your api with the following URL: curl -i -k -v https://api.com:8443/ -H "Host: api.com" instead of your original way: curl -i -k -v https://localhost:8443/ -H "Host: api.com". The reason may lie on the SNI check on https access. And for using your api.com instead of localhost, you should add your domain name "api.com" into /etc/hosts or something like that.

elapse2039 commented 7 years ago

Is this similar/identical to https://github.com/Mashape/kong/issues/2337?

p0pr0ck5 commented 7 years ago

@fancy512 can you show us the output of curl localhost:8001/certificates and curl localhost:8001/snis?

p0pr0ck5 commented 7 years ago

Closing as stale, after no response. Please feel free to re-open this if there are still pending issues.

Arlus commented 6 years ago

@p0pr0ck5 I'm experiencing the same issue.

stevenkitter commented 6 years ago

{"fields":{"cert":"required field missing","key":"required field missing"},"name":"schema violation","code":2,"message":"2 schema violations (cert: required field missing; key: required field missing)"} i got this response.