Closed debu99 closed 3 years ago
@debu99,
Can you show us how did you test it? Also can you show us how you started and how did you reload Kong (the exact commands), also can you show use a small example of the yaml (you can remove all the private stuff from there).
I tried to reproduce this but I could not yet.
No, it is no tested on purpose, we tested some configuration and then reload the kong, we created kong as a systemd service, and use systemctl reload kong to reload it
[Unit] Description=kong service Documentation=https://docs.konghq.com After=syslog.target network.target
[Service] User=circlesuser Group=circlesuser Type=forking LimitAS=infinity LimitRSS=infinity LimitCORE=infinity LimitNOFILE=65536 ExecStart=/usr/local/bin/kong start -v --conf /etc/our_config/api-gateway/api-gateway.conf ExecReload=/usr/local/bin/kong reload -v --conf /etc/our_config/api-gateway/api-gateway.conf ExecStop=/usr/local/bin/kong stop
[Install] WantedBy=multi-user.target
`
@debu99, good news! I could reproduce this. I'll start looking at it.
Here is how I reproduced it:
dbless.conf
file:database=off
declarative_config=dbless.yml
dbless.yml
file:_transform: false
_format_version: '2.1'
certificates:
- created_at: 1604424735
cert: |
-----BEGIN CERTIFICATE-----
MIIDzTCCArWgAwIBAgIUMmq4W4is+P02LXKinUdLoPjFuDYwDQYJKoZIhvcNAQEL
BQAwdjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFjAUBgNVBAcM
DVNhbiBGcmFuY2lzY28xIDAeBgNVBAoMF0tvbmcgQ2x1c3RlcmluZyBUZXN0aW5n
MRgwFgYDVQQDDA9rb25nX2NsdXN0ZXJpbmcwHhcNMTkxMTEzMDU0NTA1WhcNMjkx
MTEwMDU0NTA1WjB2MQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW
MBQGA1UEBwwNU2FuIEZyYW5jaXNjbzEgMB4GA1UECgwXS29uZyBDbHVzdGVyaW5n
IFRlc3RpbmcxGDAWBgNVBAMMD2tvbmdfY2x1c3RlcmluZzCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBALr7evXK3nLxW98lXDWUcyNRCKDzUVX5Rlm7ny0a
qVIh+qRUT7XGHFnDznl7s1gEkcxLtuMnKBV7Ic2jVTzKluZZFJD5H2plP7flpVu/
byvpBNguERFDC2mbnlX7TSRhhWjlYTgFS2KiFP1OjYjim6vemszobDsCg2gRs0Mh
A7XwsVvPSFNfnAOPTpyLRGtN3ShEA0LKjBkjg2u67MPAfg1y8/8Tm3h/kqfOciMT
5ax2J1Ll/9/oCWX9qW6gNmnnUGNlBpcAZk3pzh6n1coRnVaysoCPYPgd9u1KoBkt
uTQJOn1Qi3OWPZzyiLGRa/X0tGx/5QQDnLr6GyDjwPcC09sCAwEAAaNTMFEwHQYD
VR0OBBYEFNNvhlhHAsJtBZejHystlPa/CoP2MB8GA1UdIwQYMBaAFNNvhlhHAsJt
BZejHystlPa/CoP2MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
AHQpVBYGfFPFTRY/HvtWdXROgW358m9rUC5E4SfTJ8JLWpCB4J+hfjQ+mASTFb1V
5FS8in8S/u1MgeU65RC1/xt6Rof7Tu/Cx2SusPWo0YGyN0E9mwr2c91JsIgDO03Y
gtDiavyw3tAPVo5n2U3y5Hf46bfT5TLZ2yFnUJcKRZ0CeX6YAJA5dwG182xOn02r
kkh9T1bO72pQHi15QxnQ9Gc4Mi5gjuxX4/Xyag5KyEXnniTb7XquW+JKP36RfhnU
DGoEEUNU5UYwIzh910NM0UZubu5Umya1JVumoDqAi1lf2DHhKwDNAhmozYqE1vJJ
+e1C9/9oqok3CRyLDe+VJ7M=
-----END CERTIFICATE-----
id: 3c43a3a1-c47a-4806-b8f3-fb03b55c7cfa
tags: ~
key: |
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC6+3r1yt5y8Vvf
JVw1lHMjUQig81FV+UZZu58tGqlSIfqkVE+1xhxZw855e7NYBJHMS7bjJygVeyHN
o1U8ypbmWRSQ+R9qZT+35aVbv28r6QTYLhERQwtpm55V+00kYYVo5WE4BUtiohT9
To2I4pur3prM6Gw7AoNoEbNDIQO18LFbz0hTX5wDj06ci0RrTd0oRANCyowZI4Nr
uuzDwH4NcvP/E5t4f5KnznIjE+WsdidS5f/f6All/aluoDZp51BjZQaXAGZN6c4e
p9XKEZ1WsrKAj2D4HfbtSqAZLbk0CTp9UItzlj2c8oixkWv19LRsf+UEA5y6+hsg
48D3AtPbAgMBAAECggEBALoFVt8RZR2VYYEu+f2UIrgP9jWp3FFcHdFIB6Qn0iwU
AfdaqbJ91da4JsJVfqciZKqK6Pg0DHzSc17SEArawiWImh1guxBuimW54jjUyxU0
Tc2EhxZVTRVT7MI9sRFws/kXuxCws7784UTg0Y5NY/IpFHinAoXyiikO8vjl73sg
trN5mQGNTE/c8lEs7pUAFWX9zuNbmV0m1q25lHDgbkAD76/9X26lLCK1A5e2iCj3
MME6/2GlSy3hrtSY7mCiR1GktvnK+yidXXJSkGMNCSopQARfcAlMvcCDav5ODxTz
mB+A47oxGKBTdc9gGF44dR15y5E1kRAvTtaAIzpc14ECgYEA4u9uZkZS0gEiiA5K
pOm/lnBp6bloGg9RlsOO5waE8DiGZgkwWuDwsncxUB1SvLd28MgxZzNQClncS98J
viJzdAVzauMpn3Iqrdtk9drGzEeuxibic1FKMf1URGwKnlcsDHaeKAGyRQgO2Q7l
Oy7EwtRmUKBUA3RCIqLSoiEi6NcCgYEA0u4a2abgYdyR1QMavgevqCGhuqu1Aa2Y
rbD3TmIfGVubI2YZeFSyhC/7Jx+5HofQj5cpMRgASxzKXqrCXuyb+Q+u23kHogfQ
cO1yO2GzjlA3FVHTK28t9EDPTOgHWQt3q7iS1s44VHwXDOpEQJ2onKKohvcP5WTf
LO0T2K9NOJ0CgYEAtX9nHXc6/+iWdJhxjKnCaBBqNNrrboQ37ctj/FOTeQjMPMk2
mkhzWVjI4NlC9doJz5NdJ7u7VTv/W9L7WMz256EAaUlbXcGSbtAcVCFwg6sFFke9
Lxuhqo+AmOSMLY1sll88KKUKrfk+3szx+z5xcZ0sY2mHJ+gQiOEOc0rrP6sCgYBi
Ksi6RU0mnoYMki5PBLq+0DA59ZH/XvCw3ayrgUUiAx1XwzvVYe3XUZFc6wm36NOr
EFnubFIuow6YMnbVwN7yclcZ8+EWivZ6qDfC5Tyw3ipUtMlH7K2BgOw5yb8ptQmU
FQnaCQ30W/BKZXkwbW+8voMalT+DroejnA7hiOyyjQKBgFLi6x6w76fTgQ7Ts8x0
eATLOrvdvfotuLyMSsQLbljXyJznCTNrOGfYTua/Ifgkn4LpnoOkkxvVbj/Eugc7
WeXBG+gbEi25GZUktrZWP1uc6s8aXH6rjYJP8iXnUpFHmQAPGuGiFnfB5MxlSns9
9SKBXe7AvKGknGf7zg8WLKJZ
-----END PRIVATE KEY-----
snis:
- created_at: 1604424834
id: 2c16a2da-0ec3-4bbd-b947-740008eff39b
tags: ~
name: example.test
certificate: 3c43a3a1-c47a-4806-b8f3-fb03b55c7cfa
services:
- url: http://httpbin.org/anything
routes:
- paths:
- /
$ kong start -v --conf dbless.conf
$ for i in {1..1000}; do ./bin/kong reload -v --conf dbless.conf; done
On second terminal window start making sslscan's:
$ for i in {1..1000}; do sslscan --sni-name=example.test 127.0.0.1:8443 | grep Subject; done
Check output of sslscan
:
Subject: kong_clustering
Subject: kong_clustering
Subject: kong_clustering
Subject: kong_clustering
Subject: kong_clustering
Subject: kong_clustering
Subject: kong_clustering
Subject: kong_clustering
Subject: localhost
Subject: localhost
Subject: kong_clustering
Subject: kong_clustering
It looks like for a short period of time, Kong will return the wrong cert on reload. In my testing it returns back to normal. But this is unexpected still.
This should be fixed on upcoming Kong 2.3.0
as the #6661 got just merged.
@bungle Happen to come across here due to seeing similar issue when running Kong. The only difference is that I'm running Kong in a k8s cluster in DBLess mode.
2022/08/29 10:47:36 [alert] 28#0: *148953 ignoring stale global SSL error (SSL: error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding error:04067072:rsa routines:rsa_ossl_public_decrypt:padding check failed), client: x.x.x.x, server: kong, request: "GET /x/y/z HTTP/1.1", host: "x.y.z"
Any suggestion on how to troubleshoot in this case? BTW: We are using Kong 2.5.0.
We also have the same issue while running Kong on k8s in DBLess mode. We are using Kong 2.7.0.
Any suggestions on how to troubleshoot and fix it?
Hi @yasra002 @morningspace, Were you able to upload ssl certificate on kong deployed in dbless mode in K8s cluster?? i am facing the same issue
our ssl certificate is in the yaml configuration file, but after reload, kong uses default cert