[BC break] PUT /certificates changed behaviour between kong 1.4 and 1.5

[luispabon]

Summary

On kong >= 1.0 <= 1.5 it was possible to PUT to /certificates in order to create or update certificates while specifying a list of SNIs.

On Kong 1.5 however, the same request would return a 400 error due to an sni already associated with a certificate.

This is in line with Kong's documentation for the endpoint in particular: https://docs.konghq.com/1.5.x/admin-api/#update-certificate-1

Steps To Reproduce

1. PUT /certificates/domain with { "cert": "certpayload", "key": "keypayload", "snis": ["domain", "domain2", ...]}
2. Response HTTP 400, message schema violation (snis: domain already associated with existing certificate

Additional Details & Logs

• Kong version: 1.5.1 (kong:1.5 container image)
• Kong debug-level startup logs ($ kong start --vv): n/a
• Kong error logs (<KONG_PREFIX>/logs/error.log): n/a
• Kong configuration (the output of a GET request to Kong's Admin port - see https://docs.konghq.com/latest/admin-api/#retrieve-node-information):

{
  "plugins": {
    "enabled_in_cluster": [
      "correlation-id"
    ],
    "available_on_server": {
      "correlation-id": true,
      "pre-function": true,
      "cors": true,
      "ldap-auth": true,
      "loggly": true,
      "hmac-auth": true,
      "zipkin": true,
      "request-size-limiting": true,
      "azure-functions": true,
      "request-transformer": true,
      "oauth2": true,
      "response-transformer": true,
      "ip-restriction": true,
      "statsd": true,
      "jwt": true,
      "proxy-cache": true,
      "basic-auth": true,
      "key-auth": true,
      "http-log": true,
      "datadog": true,
      "tcp-log": true,
      "rate-limiting": true,
      "post-function": true,
      "prometheus": true,
      "acl": true,
      "kubernetes-sidecar-injector": true,
      "syslog": true,
      "file-log": true,
      "udp-log": true,
      "response-ratelimiting": true,
      "aws-lambda": true,
      "session": true,
      "bot-detection": true,
      "request-termination": true
    }
  },
  "tagline": "Welcome to kong",
  "configuration": {
    "error_default_type": "text/plain",
    "client_ssl": false,
    "proxy_access_log": "/dev/stdout",
    "trusted_ips": {},
    "prefix": "/usr/local/kong",
    "loaded_plugins": {
      "session": true,
      "pre-function": true,
      "cors": true,
      "ldap-auth": true,
      "loggly": true,
      "hmac-auth": true,
      "zipkin": true,
      "request-size-limiting": true,
      "azure-functions": true,
      "request-transformer": true,
      "oauth2": true,
      "response-transformer": true,
      "syslog": true,
      "statsd": true,
      "jwt": true,
      "proxy-cache": true,
      "basic-auth": true,
      "key-auth": true,
      "http-log": true,
      "datadog": true,
      "tcp-log": true,
      "correlation-id": true,
      "post-function": true,
      "bot-detection": true,
      "acl": true,
      "kubernetes-sidecar-injector": true,
      "ip-restriction": true,
      "file-log": true,
      "udp-log": true,
      "response-ratelimiting": true,
      "aws-lambda": true,
      "rate-limiting": true,
      "prometheus": true,
      "request-termination": true
    },
    "cassandra_username": "kong",
    "ssl_cert_key": "/usr/local/kong/ssl/kong-default.key",
    "dns_resolver": {},
    "pg_user": "EDITED",
    "mem_cache_size": "128m",
    "ssl_ciphers": "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256",
    "nginx_admin_directives": {},
    "nginx_http_upstream_directives": [
      {
        "value": "60s",
        "name": "keepalive_timeout"
      },
      {
        "value": "100",
        "name": "keepalive_requests"
      },
      {
        "value": "60",
        "name": "keepalive"
      }
    ],
    "nginx_http_directives": [
      {
        "value": "TLSv1.1 TLSv1.2 TLSv1.3",
        "name": "ssl_protocols"
      },
      {
        "value": "prometheus_metrics 5m",
        "name": "lua_shared_dict"
      }
    ],
    "pg_host": "EDITED",
    "nginx_acc_logs": "/usr/local/kong/logs/access.log",
    "pg_semaphore_timeout": 60000,
    "proxy_listen": [
      "0.0.0.0:8000",
      "0.0.0.0:8443 http2 ssl"
    ],
    "nginx_kong_stream_conf": "/usr/local/kong/nginx-kong-stream.conf",
    "ssl_cert_key_default": "/usr/local/kong/ssl/kong-default.key",
    "dns_no_sync": false,
    "db_update_propagation": 0,
    "stream_listen": [
      "off"
    ],
    "nginx_err_logs": "/usr/local/kong/logs/error.log",
    "cassandra_port": 9042,
    "dns_order": [
      "LAST",
      "SRV",
      "A",
      "CNAME"
    ],
    "dns_error_ttl": 1,
    "headers": [
      "server_tokens",
      "latency_tokens"
    ],
    "admin_listen": [
      "0.0.0.0:8001"
    ],
    "admin_access_log": "/dev/stdout",
    "status_listen": [
      "off"
    ],
    "cassandra_lb_policy": "RequestRoundRobin",
    "nginx_optimizations": true,
    "nginx_http_upstream_keepalive_timeout": "60s",
    "router_update_frequency": 1,
    "pg_timeout": 5000,
    "nginx_conf": "/usr/local/kong/nginx.conf",
    "nginx_http_upstream_keepalive_requests": "100",
    "database": "postgres",
    "db_update_frequency": 5,
    "dns_stale_ttl": 4,
    "origins": {},
    "pg_database": "EDITED",
    "nginx_worker_processes": "auto",
    "ssl_cert_csr_default": "/usr/local/kong/ssl/kong-default.csr",
    "lua_package_cpath": "",
    "proxy_error_log": "/dev/stderr",
    "admin_acc_logs": "/usr/local/kong/logs/admin_access.log",
    "client_ssl_cert_default": "/usr/local/kong/ssl/kong-default.crt",
    "cassandra_refresh_frequency": 60,
    "lua_package_path": "./?.lua;./?/init.lua;",
    "nginx_pid": "/usr/local/kong/pids/nginx.pid",
    "upstream_keepalive": 60,
    "admin_error_log": "/dev/stderr",
    "router_consistency": "strict",
    "nginx_sproxy_directives": {},
    "pg_ssl_verify": false,
    "pg_max_concurrent_queries": 0,
    "ssl_cipher_suite": "modern",
    "nginx_proxy_directives": {},
    "proxy_listeners": [
      {
        "listener": "0.0.0.0:8000",
        "proxy_protocol": false,
        "reuseport": false,
        "transparent": false,
        "ssl": false,
        "ip": "0.0.0.0",
        "deferred": false,
        "http2": false,
        "port": 8000,
        "bind": false
      },
      {
        "listener": "0.0.0.0:8443 ssl http2",
        "proxy_protocol": false,
        "reuseport": false,
        "transparent": false,
        "ssl": true,
        "ip": "0.0.0.0",
        "deferred": false,
        "http2": true,
        "port": 8443,
        "bind": false
      }
    ],
    "proxy_ssl_enabled": true,
    "nginx_http_upstream_keepalive": "60",
    "db_cache_warmup_entities": [
      "services",
      "plugins"
    ],
    "enabled_headers": {
      "latency_tokens": true,
      "X-Kong-Response-Latency": true,
      "Server": true,
      "X-Kong-Admin-Latency": true,
      "X-Kong-Upstream-Status": false,
      "Via": true,
      "X-Kong-Proxy-Latency": true,
      "server_tokens": true,
      "X-Kong-Upstream-Latency": true
    },
    "nginx_http_ssl_protocols": "TLSv1.1 TLSv1.2 TLSv1.3",
    "nginx_stream_directives": {},
    "db_resurrect_ttl": 30,
    "db_cache_ttl": 0,
    "cassandra_consistency": "ONE",
    "client_max_body_size": "0",
    "service_mesh": false,
    "status_listeners": {},
    "dns_not_found_ttl": 30,
    "pg_ssl": false,
    "cassandra_data_centers": [
      "dc1:2",
      "dc2:3"
    ],
    "status_access_log": "off",
    "cassandra_repl_strategy": "SimpleStrategy",
    "status_error_log": "logs/status_error.log",
    "kong_env": "/usr/local/kong/.kong_env",
    "cassandra_timeout": 5000,
    "cassandra_contact_points": [
      "127.0.0.1"
    ],
    "nginx_kong_conf": "/usr/local/kong/nginx-kong.conf",
    "real_ip_header": "X-Real-IP",
    "dns_hostsfile": "/etc/hosts",
    "admin_listeners": [
      {
        "listener": "0.0.0.0:8001",
        "proxy_protocol": false,
        "reuseport": false,
        "transparent": false,
        "ssl": false,
        "ip": "0.0.0.0",
        "deferred": false,
        "http2": false,
        "port": 8001,
        "bind": false
      }
    ],
    "cassandra_schema_consensus_timeout": 10000,
    "ssl_cert": "/usr/local/kong/ssl/kong-default.crt",
    "log_level": "notice",
    "admin_ssl_cert_key_default": "/usr/local/kong/ssl/admin-kong-default.key",
    "cassandra_ssl_verify": false,
    "plugins": [
      "bundled"
    ],
    "nginx_http_status_directives": {},
    "real_ip_recursive": "off",
    "cassandra_repl_factor": 1,
    "client_ssl_cert_key_default": "/usr/local/kong/ssl/kong-default.key",
    "nginx_daemon": "off",
    "anonymous_reports": true,
    "stream_listeners": {},
    "lua_socket_pool_size": 30,
    "pg_port": 5432,
    "admin_ssl_cert_default": "/usr/local/kong/ssl/admin-kong-default.crt",
    "client_body_buffer_size": "8k",
    "ssl_preread_enabled": true,
    "lua_ssl_verify_depth": 1,
    "pg_password": "EDITED",
    "cassandra_keyspace": "kong",
    "ssl_cert_default": "/usr/local/kong/ssl/kong-default.crt",
    "cassandra_ssl": false,
    "admin_ssl_enabled": false
  },
  "version": "1.5.1",
  "node_id": "f7848819-c83e-43b2-a5fc-d4bc1061e6cf",
  "lua_version": "LuaJIT 2.1.0-beta3",
  "prng_seeds": {
    "pid: 31": 127200801062,
    "pid: 1": 132101224823
  },
  "timers": {
    "pending": 7,
    "running": 0
  },
  "hostname": "kong-4j4fq"
}

• Operating system: Kubernetes

[bungle]

I tried this with next branch, and could not reproduce. So looks like a bug in 1.5.x?

[luispabon]

This also happens with 2.0.x by the way, although I didn't think anything of it being a new major version and bc breaks are expected.

[bungle]

@luispabon, sure it was not what we planned to do. Thus it is a bug.

[bungle]

@luispabon,

So is this issue about the fact that: domain is repeated on both snis and in uri? You can also use uuid in uri if you want. Also if you remove the repeated domain from snis does it work, and still adds both snis? I didn't see the error in your first post with 2.0.2:

$ http PUT :8001/certificates/domain.com cert=@spec/fixtures/kong_spec.crt key=@spec/fixtures/kong_spec.key snis:='["domain2.com","domain3.com"]' -v
PUT /certificates/domain.com HTTP/1.1
Accept: application/json, */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 2029
Content-Type: application/json
Host: localhost:8001
User-Agent: HTTPie/2.0.0

{
    "cert": "-----BEGIN CERTIFICATE-----\nMIICwTCCAiqgAwIBAgIJAOloHn/ZJQw8MA0GCSqGSIb3DQEBCwUAMHgxCzAJBgNV\nBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp\nc2NvMRIwEAYDVQQKDAlLb25nIFNwZWMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRIw\nEAYDVQQDDAlsb2NhbGhvc3QwHhcNMTgwOTI2MTQ0MTE2WhcNMzgwOTIxMTQ0MTE2\nWjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN\nU2FuIEZyYW5jaXNjbzESMBAGA1UECgwJS29uZyBTcGVjMRQwEgYDVQQLDAtFbmdp\nbmVlcmluZzESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GN\nADCBiQKBgQC/QqEXsZFIY/hHqtMro+hkhHwbydvPHGhe/rqiOHXUVGnjJ9bBgrk6\niLFnu7L0OxsMPdckxjCLFYO2nGERlAN1wXxw0cLLUF0v1sOhJT+57pBfTgmfzLvp\niLLOWMhayRcjZWJdHGcKUG3xh6o8MghdZIVoewlyqzViRXvR3U1VYwIDAQABo1Mw\nUTAdBgNVHQ4EFgQUgIzN48PLQMbLWg4muR2QZqhJXicwHwYDVR0jBBgwFoAUgIzN\n48PLQMbLWg4muR2QZqhJXicwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsF\nAAOBgQArRbblXU7zocrHf5rVrFTWJsaA2aSSJ4CmY1SGRQVyAUzyJXX+Koe+qkP/\niEnA4TUWZfGQOkN5E8ybUxOWv7+6GBjMooLf7WAj5TCtyfOSFASIBrFNGevL4GgH\nJ65KdKlncizFAjSxk1KMRBXMGYDyeBGHARvAVKaknDTD7CReEg==\n-----END CERTIFICATE-----\n",
    "key": "-----BEGIN PRIVATE KEY-----\nMIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAL9CoRexkUhj+Eeq\n0yuj6GSEfBvJ288caF7+uqI4ddRUaeMn1sGCuTqIsWe7svQ7Gww91yTGMIsVg7ac\nYRGUA3XBfHDRwstQXS/Ww6ElP7nukF9OCZ/Mu+mIss5YyFrJFyNlYl0cZwpQbfGH\nqjwyCF1khWh7CXKrNWJFe9HdTVVjAgMBAAECgYAZn4eNcRCRrjL5Bv27fv4HWWh3\nIJf+K0QgVegTC5VdmOGGuTOgQS8nlGCQESlsZu68uRw1pQej2oIG2PR4Mmg0Bvkv\nXKYdO0TY98nWIjWSrR6y/Yt/RoiXDfLa8d0cqb734kh7kPuQHpCCpEWcKRMb8jdp\nLIpS21TVUkUz4LwYIQJBAO+4PlDVV2r54VYaJLeSv5qHMYna57b+mGaHC0SMKav4\nnp7OxWhCEkXzQXO4Qjnqimr96pGlbOnFZbpAVw+S1GUCQQDMP99LPD0oJ9Gw+y/N\nUd1xRQGOk8/vQYcO/PfGNXhoPST8rnraimdb+/5t+alM7UbdcMRbWgKO8j3h0FoX\nUnInAkBUid0wFIynpUfaXY3lT1NS46qMuy5MUqzcO3O10NhBVYRa7QChK+vVz1ud\nu7VfR19ZLAK1KmmmZ37gmCAb1eQhAkEAvQM+uHj+f3KZ8pYBHphrvK6HSlIvUtHp\nEk23XY2N56jt2Yf92M/L5qvEQDGSIsZRlgsNKxyY0YALFDWjqYF6cQJAfDJi8Uya\njc9UZeMLtQi3eLugwB/Qx6p1xhjj358Hhprg7rFtqbZNA0IHJYuTx6W+2CXT2GpW\nt842/FWkibh8xg==\n-----END PRIVATE KEY-----\n",
    "snis": [
        "domain2.com",
        "domain3.com"
    ]
}

HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 2134
Content-Type: application/json; charset=utf-8
Date: Tue, 10 Mar 2020 18:03:27 GMT
Server: kong/2.0.2
X-Kong-Admin-Latency: 12

{
    "cert": "-----BEGIN CERTIFICATE-----\nMIICwTCCAiqgAwIBAgIJAOloHn/ZJQw8MA0GCSqGSIb3DQEBCwUAMHgxCzAJBgNV\nBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp\nc2NvMRIwEAYDVQQKDAlLb25nIFNwZWMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRIw\nEAYDVQQDDAlsb2NhbGhvc3QwHhcNMTgwOTI2MTQ0MTE2WhcNMzgwOTIxMTQ0MTE2\nWjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN\nU2FuIEZyYW5jaXNjbzESMBAGA1UECgwJS29uZyBTcGVjMRQwEgYDVQQLDAtFbmdp\nbmVlcmluZzESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GN\nADCBiQKBgQC/QqEXsZFIY/hHqtMro+hkhHwbydvPHGhe/rqiOHXUVGnjJ9bBgrk6\niLFnu7L0OxsMPdckxjCLFYO2nGERlAN1wXxw0cLLUF0v1sOhJT+57pBfTgmfzLvp\niLLOWMhayRcjZWJdHGcKUG3xh6o8MghdZIVoewlyqzViRXvR3U1VYwIDAQABo1Mw\nUTAdBgNVHQ4EFgQUgIzN48PLQMbLWg4muR2QZqhJXicwHwYDVR0jBBgwFoAUgIzN\n48PLQMbLWg4muR2QZqhJXicwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsF\nAAOBgQArRbblXU7zocrHf5rVrFTWJsaA2aSSJ4CmY1SGRQVyAUzyJXX+Koe+qkP/\niEnA4TUWZfGQOkN5E8ybUxOWv7+6GBjMooLf7WAj5TCtyfOSFASIBrFNGevL4GgH\nJ65KdKlncizFAjSxk1KMRBXMGYDyeBGHARvAVKaknDTD7CReEg==\n-----END CERTIFICATE-----\n",
    "created_at": 1583863407,
    "id": "f8047611-a2fd-4830-aaba-e7c94b8d56f4",
    "key": "-----BEGIN PRIVATE KEY-----\nMIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAL9CoRexkUhj+Eeq\n0yuj6GSEfBvJ288caF7+uqI4ddRUaeMn1sGCuTqIsWe7svQ7Gww91yTGMIsVg7ac\nYRGUA3XBfHDRwstQXS/Ww6ElP7nukF9OCZ/Mu+mIss5YyFrJFyNlYl0cZwpQbfGH\nqjwyCF1khWh7CXKrNWJFe9HdTVVjAgMBAAECgYAZn4eNcRCRrjL5Bv27fv4HWWh3\nIJf+K0QgVegTC5VdmOGGuTOgQS8nlGCQESlsZu68uRw1pQej2oIG2PR4Mmg0Bvkv\nXKYdO0TY98nWIjWSrR6y/Yt/RoiXDfLa8d0cqb734kh7kPuQHpCCpEWcKRMb8jdp\nLIpS21TVUkUz4LwYIQJBAO+4PlDVV2r54VYaJLeSv5qHMYna57b+mGaHC0SMKav4\nnp7OxWhCEkXzQXO4Qjnqimr96pGlbOnFZbpAVw+S1GUCQQDMP99LPD0oJ9Gw+y/N\nUd1xRQGOk8/vQYcO/PfGNXhoPST8rnraimdb+/5t+alM7UbdcMRbWgKO8j3h0FoX\nUnInAkBUid0wFIynpUfaXY3lT1NS46qMuy5MUqzcO3O10NhBVYRa7QChK+vVz1ud\nu7VfR19ZLAK1KmmmZ37gmCAb1eQhAkEAvQM+uHj+f3KZ8pYBHphrvK6HSlIvUtHp\nEk23XY2N56jt2Yf92M/L5qvEQDGSIsZRlgsNKxyY0YALFDWjqYF6cQJAfDJi8Uya\njc9UZeMLtQi3eLugwB/Qx6p1xhjj358Hhprg7rFtqbZNA0IHJYuTx6W+2CXT2GpW\nt842/FWkibh8xg==\n-----END PRIVATE KEY-----\n",
    "snis": [
        "domain.com",
        "domain2.com",
        "domain3.com"
    ],
    "tags": null
}

Using PUT it created it just fine with SNIs (one from url and others from snis).

If I have same domain in both url and SNIs it gives me this:

$ http PUT :8001/certificates/domain.com cert=@spec/fixtures/kong_spec.crt key=@spec/fixtures/kong_spec.key snis:='["domain.com","domain3.com"]' -v
PUT /certificates/domain.com HTTP/1.1
Accept: application/json, */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Length: 2028
Content-Type: application/json
Host: localhost:8001
User-Agent: HTTPie/2.0.0

{
    "cert": "-----BEGIN CERTIFICATE-----\nMIICwTCCAiqgAwIBAgIJAOloHn/ZJQw8MA0GCSqGSIb3DQEBCwUAMHgxCzAJBgNV\nBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNp\nc2NvMRIwEAYDVQQKDAlLb25nIFNwZWMxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRIw\nEAYDVQQDDAlsb2NhbGhvc3QwHhcNMTgwOTI2MTQ0MTE2WhcNMzgwOTIxMTQ0MTE2\nWjB4MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwN\nU2FuIEZyYW5jaXNjbzESMBAGA1UECgwJS29uZyBTcGVjMRQwEgYDVQQLDAtFbmdp\nbmVlcmluZzESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GN\nADCBiQKBgQC/QqEXsZFIY/hHqtMro+hkhHwbydvPHGhe/rqiOHXUVGnjJ9bBgrk6\niLFnu7L0OxsMPdckxjCLFYO2nGERlAN1wXxw0cLLUF0v1sOhJT+57pBfTgmfzLvp\niLLOWMhayRcjZWJdHGcKUG3xh6o8MghdZIVoewlyqzViRXvR3U1VYwIDAQABo1Mw\nUTAdBgNVHQ4EFgQUgIzN48PLQMbLWg4muR2QZqhJXicwHwYDVR0jBBgwFoAUgIzN\n48PLQMbLWg4muR2QZqhJXicwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsF\nAAOBgQArRbblXU7zocrHf5rVrFTWJsaA2aSSJ4CmY1SGRQVyAUzyJXX+Koe+qkP/\niEnA4TUWZfGQOkN5E8ybUxOWv7+6GBjMooLf7WAj5TCtyfOSFASIBrFNGevL4GgH\nJ65KdKlncizFAjSxk1KMRBXMGYDyeBGHARvAVKaknDTD7CReEg==\n-----END CERTIFICATE-----\n",
    "key": "-----BEGIN PRIVATE KEY-----\nMIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAL9CoRexkUhj+Eeq\n0yuj6GSEfBvJ288caF7+uqI4ddRUaeMn1sGCuTqIsWe7svQ7Gww91yTGMIsVg7ac\nYRGUA3XBfHDRwstQXS/Ww6ElP7nukF9OCZ/Mu+mIss5YyFrJFyNlYl0cZwpQbfGH\nqjwyCF1khWh7CXKrNWJFe9HdTVVjAgMBAAECgYAZn4eNcRCRrjL5Bv27fv4HWWh3\nIJf+K0QgVegTC5VdmOGGuTOgQS8nlGCQESlsZu68uRw1pQej2oIG2PR4Mmg0Bvkv\nXKYdO0TY98nWIjWSrR6y/Yt/RoiXDfLa8d0cqb734kh7kPuQHpCCpEWcKRMb8jdp\nLIpS21TVUkUz4LwYIQJBAO+4PlDVV2r54VYaJLeSv5qHMYna57b+mGaHC0SMKav4\nnp7OxWhCEkXzQXO4Qjnqimr96pGlbOnFZbpAVw+S1GUCQQDMP99LPD0oJ9Gw+y/N\nUd1xRQGOk8/vQYcO/PfGNXhoPST8rnraimdb+/5t+alM7UbdcMRbWgKO8j3h0FoX\nUnInAkBUid0wFIynpUfaXY3lT1NS46qMuy5MUqzcO3O10NhBVYRa7QChK+vVz1ud\nu7VfR19ZLAK1KmmmZ37gmCAb1eQhAkEAvQM+uHj+f3KZ8pYBHphrvK6HSlIvUtHp\nEk23XY2N56jt2Yf92M/L5qvEQDGSIsZRlgsNKxyY0YALFDWjqYF6cQJAfDJi8Uya\njc9UZeMLtQi3eLugwB/Qx6p1xhjj358Hhprg7rFtqbZNA0IHJYuTx6W+2CXT2GpW\nt842/FWkibh8xg==\n-----END PRIVATE KEY-----\n",
    "snis": [
        "domain.com",
        "domain3.com"
    ]
}

HTTP/1.1 400 Bad Request
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Length: 143
Content-Type: application/json; charset=utf-8
Date: Tue, 10 Mar 2020 18:05:00 GMT
Server: kong/2.0.2
X-Kong-Admin-Latency: 1

{
    "code": 2,
    "fields": {
        "snis": "domain.com is duplicated"
    },
    "message": "schema violation (snis: domain.com is duplicated)",
    "name": "schema violation"
}

Which still feels quite ok. But how did you get the error you got? Can you provide a full example.

[jschirrmacher]

The problem is, that with previous versions of kong it was possible to use one of the names in snis also as the name in the path, while at least with 2.x (and as @luispabon said, with 1.5) the 400 Bad Request occurs.

While it might be quite ok to give an error in this case (though this might be discussable), it means a breaking change between 1.4 and 1.5 versions.

[bungle]

@jschirrmacher, I agree, but I am also confused that is the error is duplicated OR already associated. I can get that is duplicated, but I am not 100% I can get the already associated.

I will make a fix so that snis can duplicate the sni in url.

[bungle]

@jschirrmacher & @luispabon,

There is now a fix to this duplicated error, though the original error on this issue is still puzzling me. Perhaps there is another bug somewhere. If you can provide me a way to reproduce, that would be great. Please checkout the https://github.com/Kong/kong/pull/5660.

[bungle]

@jschirrmacher / @luispabon, we merged the #5660 which fixed one issue that I found. I reopened this issue as it did not fix the original error that was reported: https://github.com/Kong/kong/issues/5652#issue-577993076

I can still try to reproduce it but so far I couldn't.

[bungle]

As this is rather hard to reproduce, and no further information has been given, I'll close it. @jschirrmacher / @luispabon, please reopen if you still feel it is an issue, even after applying the #5660.

[luispabon]

Apologies for the lack of feedback. #5660 fixed the issue for me.