Kong: Why my own SSL certificate does not work?

Created on 7 Apr 2017 · 12Comments · Source: Kong/kong

I added a custom certificate to kong, but it did not seem to work !

1.Use the following steps to create a custom certificate:
a,openssl genrsa -des3 -out server.key 2048
b,openssl req -new -key server.key -out server.csr -sha256
c.cp server.key server.key.org
d,openssl rsa -in server.key.org -out server.key
e.openssl x509 -req -in server.csr -signkey server.key -out server.crt -sha256

2.Upload SSL certificate and key via the Admin API:
curl -i -X POST http://localhost:8001/certificates \
-F "cert=@/usr/local/kong/ssla/server.crt" \
-F "key=@/usr/local/kong/ssla/server.key" \
-F "snis=api.com"

3.Add api:
curl -i -X POST http://localhost:8001/apis \
-d "name=ssl-api" \
-d "upstream_url=http://my-api.com" \
-d "hosts=api.com"

4.Visit this api:
curl -i -k -v https://localhost:8443/ \
-H "Host: api.com"
There is a part of the response information:
Connected to localhost (127.0.0.1) port 8443 (#0)

found 174 certificates in /etc/ssl/certs/ca-certificates.crt
found 698 certificates in /etc/ssl/certs
ALPN, offering http/1.1
SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
server certificate verification SKIPPED
server certificate status verification SKIPPED
common name: localhost (matched)
server certificate expiration date OK
server certificate activation date OK
certificate public key: RSA
certificate version: #1
subject: C=US,ST=California,L=San Francisco,O=Kong,OU=IT Department,CN=localhost
start date: Mon, 13 Mar 2017 01:45:51 GMT
expire date: Wed, 12 Apr 2017 01:45:51 GMT
issuer: C=US,ST=California,L=San Francisco,O=Kong,OU=IT Department,CN=localhost
compression: NULL
ALPN, server accepted to use http/1.1

Based on this information I found that my custom certificate does not seem to work ,
Then I checked the kong default path '' / usr / local / ssl '' under the certificate, through the command:
'' openssl x509 -in admin-kong-default.crt -text -noout ''.
Then I got some messages:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 14431384435248772324 (0xc84693aee01ab4e4)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=California, L=San Francisco, O=Kong, OU=IT Department, CN=localhost
Validity
Not Before: Mar 13 01:45:51 2017 GMT
Not After : Apr 12 01:45:51 2017 GMT
Subject: C=US, ST=California, L=San Francisco, O=Kong, OU=IT Department, CN=localhost

This time I feel my certificate seems to have no effect, the work seems to be kong default certificate, I do not know my order is not in addition to the problem. I did not change any configuration file, are the default, configuration Does the file need to be changed ?

Thank you !

Kong version 0.10.0

Source

fancy512

Most helpful comment

@p0pr0ck5 I'm experiencing the same issue.

Arlus on 20 Apr 2018

👍4

All 12 comments

Hi Fancy:
I have used Kong for a long time ago and maybe I have forgotten the actual reason for this issue. After some initial thought on your issue, I think maybe you should access your api with the following URL:
curl -i -k -v https://api.com:8443/ -H "Host: api.com" instead of your original way:
curl -i -k -v https://localhost:8443/ -H "Host: api.com".
The reason may lie on the SNI check on https access.
And for using your api.com instead of localhost, you should add your domain name "api.com" into /etc/hosts or something like that.

trevortao on 8 Apr 2017

👍2

Is this similar/identical to https://github.com/Mashape/kong/issues/2337?

elapse2039 on 10 Apr 2017

@fancy512 can you show us the output of curl localhost:8001/certificates and curl localhost:8001/snis?

p0pr0ck5 on 21 Apr 2017

Closing as stale, after no response. Please feel free to re-open this if there are still pending issues.

p0pr0ck5 on 1 May 2017

@p0pr0ck5 I'm experiencing the same issue.

Arlus on 20 Apr 2018

👍4

{"fields":{"cert":"required field missing","key":"required field missing"},"name":"schema violation","code":2,"message":"2 schema violations (cert: required field missing; key: required field missing)"} i got this response.