apache / apisix

The Cloud-Native API Gateway
https://apisix.apache.org/blog/
Apache License 2.0
14.55k stars 2.52k forks source link

bug: Vault Secret Engine Issue LUA Trust Certificates #11720

Open GrayHatLabs opened 2 weeks ago

GrayHatLabs commented 2 weeks ago

Current Behavior

I am running Api Six in stand-alone mode and want to use Vault for secret management.

I am using the Docker images, and I keep getting this error. I don't know how to add certificates to the trust.

global_rules:
-
id: 1
plugins:
key-auth:
header: "Authorization"

routes:
- id: "test_route"
uri: "/test"
plugins:
key-auth: {}
upstream:
type: roundrobin
scheme: "https"
nodes:
"postb.in:443": 1

consumers:
- username: nemus_dupper
plugins:
key-auth:
key: $secret://vault/1/nemus_dupper/auth-key

secrets:
- id: vault/1
ssl_verify: false
prefix: apisix
token: hvs.asdfasdfasdfasdf
uri: https://vault.mydomain.com:8200/
api-gateway-1 | 2024/11/07 06:41:12 [error] 37#37: *1755 [lua] secret.lua:180: fetch(): failed to fetch secret value: failed to retrtive data from vault kv engine: 20: unable to get local issuer certificate, client: 172.18.0.1, server: _, request: "GET / HTTP/1.1", host: "127.0.0.1:8080"
api-gateway-1 | 2024/11/07 06:41:12 [warn] 37#37: *1755 [lua] plugin.lua:1174: run_plugin(): key-auth exits with http status code 401, client: 172.18.0.1, server: _, request: "GET / HTTP/1.1", host: "127.0.0.1:8080"

Expected Behavior

I would like it to call the vault server I've specified in the config.

Error Logs

api-gateway-1  | 2024/11/07 06:41:12 [error] 37#37: *1755 [lua] secret.lua:180: fetch(): failed to fetch secret value: failed to retrtive data from vault kv engine: 20: unable to get local issuer certificate, client: 172.18.0.1, server: _, request: "GET / HTTP/1.1", host: "127.0.0.1:8080"
api-gateway-1  | 2024/11/07 06:41:12 [warn] 37#37: *1755 [lua] plugin.lua:1174: run_plugin(): key-auth exits with http status code 401, client: 172.18.0.1, server: _, request: "GET / HTTP/1.1", host: "127.0.0.1:8080"
api-gateway-1  | 172.18.0.1 - - [07/Nov/2024:06:41:12 +0000] 127.0.0.1:8080 "GET / HTTP/1.1" 401 52 0.006 "-" "curl/8.2.1" - - - "http://127.0.0.1:8080"

Steps to Reproduce

services:
    api-gateway:
        image: apache/apisix:latest
        environment:
            - APISIX_STAND_ALONE=true
            - LUA_SSL_TRUSTED_CERTIFICATE=/usr/local/share/ca-certificates/vault-ca.crt
        volumes:
            - ${CONFIGS:-./configs}/apisix/apisix.yaml:/usr/local/apisix/conf/apisix.yaml:ro
            - ./vault_ca.crt:/usr/local/share/ca-certificates/vault-ca.crt  # Mount the CA cert into the container
        extra_hosts:
            - "vault.mydomain.com:192.168.10.60"
        ports:
            - '${LISTEN_ADDRESS:-127.0.0.1}:8080:9080'
            - '${LISTEN_ADDRESS:-127.0.0.1}:8443:9443'
        networks:
            - public
networks:
   public:
    external: true
curl -H 'Authorization:asdfasdfasdfas' -H "Content-Type: application/json" -i http://127.0.0.1:8080   

Environment

HuanXin-Chen commented 2 weeks ago

This issue may will help you:https://github.com/apache/apisix/issues/11657

Adding this config block to config.yaml:

apisix:
  ssl:
    ssl_trusted_certificate: /etc/ssl/certs/ca-certificates.crt
GrayHatLabs commented 1 week ago

This issue may will help you:#11657

Adding this config block to config.yaml:

apisix:
  ssl:
    ssl_trusted_certificate: /etc/ssl/certs/ca-certificates.crt

Thank you I will try this.

GrayHatLabs commented 3 days ago

I added this to the config.yml and confirmed that both files exist on the container. I am still seeing the same error.

Also, please note that the vault server certificate is a valid certificate signed by Godaddy, which has a CA chain that might be part of the issue.

Is there any way for me to tell APISIX to trust a certificate?

apisix:
  ssl:
    ssl_trusted_certificate: /etc/ssl/certs/ca-certificates.crt
    ssl_trusted_certificate: /usr/local/share/ca-certificates/vault-ca.crt

global_rules:
    -
        id: 1
        plugins:
            Key-auth:
                header: "Authorization"

routes:
  - id: "test_route"
    uri: "/test"
    plugins:
      key-auth: {}
    upstream:
      type: roundrobin
      scheme: "https"
      nodes:
        "postb.in:443": 1

consumers:
  - username: nemus_dupper
    plugins:
      key-auth:
        key: $secret://vault/1/nemus_dupper/auth-key

secrets:
  - id: vault/1
    ssl_verify: false
    prefix: apisix
    token: hvs.asdfasdfasdfasdfasdf
    uri: https://vault.mydomain.com:8200
api-gateway-1  | 2024/11/22 22:57:04 [error] 39#39: *97758 [lua] secret.lua:180: fetch(): failed to fetch secret value: failed to retrtive data from vault kv engine: 20: unable to get local issuer certificate, client: 172.18.0.1, server: _, request: "GET / HTTP/1.1", host: "127.0.0.1:8080"
api-gateway-1  | 2024/11/22 22:57:04 [warn] 39#39: *97758 [lua] plugin.lua:1174: run_plugin(): key-auth exits with http status code 401, client: 172.18.0.1, server: _, request: "GET / HTTP/1.1", host: "127.0.0.1:8080"
api-gateway-1  | 172.18.0.1 - - [22/Nov/2024:22:57:04 +0000] 127.0.0.1:8080 "GET / HTTP/1.1" 401 52 0.006 "-" "curl/8.2.1" - - - "http://127.0.0.1:8080"