Closed flyingfish7 closed 3 years ago
2020/11/02 11:35:48 [error] 23546#23546: 1507 [lua] radixtree_sni.lua:213: match_and_set(): failed to find any SSL certificate by SNI: test-api.yestae.com, context: ssl_certificate_by_lua, client: 172.17.186.164, server: 0.0.0.0:10443
The domain "test-api.yestae.com" sent by client's SNI is unknown to your APISIX.
2020/11/02 11:35:48 [error] 23546#23546: 1507 [lua] radixtree_sni.lua:213: match_and_set(): failed to find any SSL certificate by SNI: test-api.yestae.com, context: ssl_certificate_by_lua, client: 172.17.186.164, server: 0.0.0.0:10443
The domain "test-api.yestae.com" sent by client's SNI is unknown to your APISIX.
In my etcd ssl configuration sni has "*.yestae.com" configuration ,
[root@test-open-api apisix-dashboard]# etcdctl_new --endpoints=http://127.0.0.1:3379 get /apisix/ssl --prefix
/apisix/ssl/
init_dir
/apisix/ssl/326743630154826275
{"id":"326743630154826275","create_time":1604283980,"update_time":1604286383,"cert":"...","key":"...","snis":["*.yestae.com","autodiscover.yestae.com","mail.yestae.com","owa.yestae.com","www.yestae.com","yestae.com"],"status":0,"validity_start":1542879426,"validity_end":1613457880}
[root@test-open-api apisix-dashboard]#
Interesting. Can't reproduce in my side. I set the SSL configuration via apisix's admin API:
# etcdctl get /apisix/ssl --prefix
/apisix/ssl/
init_dir
/apisix/ssl/1
{"cert":"...","id":"1","status":1,"key":"...","snis":["*.yestae.com","autodiscover.yestae.com","mail.yestae.com","owa.yestae.com","www.yestae.com","yestae.com"]}
But I got: radixtree_sni.lua:208: match_and_set(): sni: test-api.yestae.com
.
Maybe you need to add more log in radixtree_sni.lua
.
apisix/ssl/router/radixtree_sni.lua
210 local sni_rev = sni:reverse()
211 core.log.debug("sni_rev: ",sni_rev)
212 core.log.debug("api_ctx.matched_sni: ",api_ctx.matched_sni)
213 core.log.debug("api_ctx.matched_ssl: ",api_ctx.matched_ssl)
214 local ok = radixtree_router:dispatch(sni_rev, nil, api_ctx)
215 if not ok then
208
2020/11/02 16:34:42 [debug] 29687#29687: 130 [lua] init.lua:164: http_ssl_phase(): api_ctx:nil 2020/11/02 16:34:42 [debug] 29687#29687: 130 [lua] init.lua:168: http_ssl_phase(): api_ctx:{} 2020/11/02 16:34:42 [info] 29687#29687: 130 [lua] radixtree_sni.lua:146: create_router(): route items: {}, context: ssl_certificate_by_lua, client: 172.17.186.164, server: 0.0.0.0:10443 2020/11/02 16:34:42 [debug] 29687#29687: 130 [lua] radixtree_sni.lua:208: match_and_set(): sni: test-api.yestae.com 2020/11/02 16:34:42 [debug] 29687#29687: 130 [lua] radixtree_sni.lua:211: match_and_set(): sni_rev: moc.eatsey.ipa-tset 2020/11/02 16:34:42 [debug] 29687#29687: 130 [lua] radixtree_sni.lua:212: match_and_set(): api_ctx.matched_sni: nil 2020/11/02 16:34:42 [debug] 29687#29687: 130 [lua] radixtree_sni.lua:213: match_and_set(): api_ctx.matched_ssl: nil 2020/11/02 16:34:42 [error] 29687#29687: 130 [lua] radixtree_sni.lua:216: match_and_set(): failed to find any SSL certificate by SNI: test-api.yestae.com, context: ssl_certificate_by_lua, client: 172.17.186.164, server: 0.0.0.0:10443 2020/11/02 16:34:42 [crit] 29687#29687: *127 SSL_do_handshake() failed (SSL: error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error) while SSL handshaking, client: 172.17.186.164, server: 0.0.0.0:10443
Look strange to me. Could you provide a minimal example to reproduce the issue? Will change SSL configure make this problem disappear?
Look strange to me. Could you provide a minimal example to reproduce the issue? Will change SSL configure make this problem disappear?
Thank you very much, I have found the cause of the problem: Because my apisix-dashboard uses 2.0-rc2, my ssl configuration is configured from the dashboard, there may be incompatible configuration formats, I solved it through apisix-admin api Fix the problem, thanks again for your help
Issue description
https access apisix ssl protocol error,
config-default.yaml
error.log
2020/11/02 11:35:48 [error] 23546#23546: 1507 [lua] radixtree_sni.lua:213: match_and_set(): failed to find any SSL certificate by SNI: test-api.yestae.com, context: ssl_certificate_by_lua, client: 172.17.186.164, server: 0.0.0.0:10443 2020/11/02 11:35:48 [crit] 23546#23546: *1505 SSL_do_handshake() failed (SSL: error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error) while SSL handshaking, client: 172.17.186.164, server: 0.0.0.0:10443
Environment
apisix version
): 2.0