Let's Encrypt and ACMEv2 integration with Kong - this plugin has been moved into https://github.com/Kong/kong, please open issues and PRs in that repo
License: Apache License 2.0
I am trying to configure the plugin on Kong deployed on K8s (dbless).
Ingress Controller logs show this error:
W0611 03:39:27.962669 1 queue.go:112] requeuing kong/acme, err posting new config to /config: 400 Bad Request {"fields":{"plugins":[null,null,null,null,{"route":"value must be null"}]},"name":"invalid declarative configuration","code":14,"message":"declarative config is invalid: {plugins={[5]={route=\"value must be null\"}}}"}
Trying to hit the acme route produces 503:
serge@Serges-MacBook-Pro infrastructure % curl -XGET -I kongtroller.projectmin.org/.well-known/acme-challenge/x [NORMAL]
HTTP/1.1 503 Service Temporarily Unavailable
Date: Thu, 11 Jun 2020 03:39:40 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 58
X-Kong-Response-Latency: 0
Server: kong/2.0.4
KongPlugin CR looks like this:
$ kubectl describe kongplugins/acme
Name: acme
Namespace: kong
Labels: <none>
Annotations: API Version: configuration.konghq.com/v1
Config:
account_email: [email protected]
Domains:
kongtroller.projectmin.org
api.projectmin.org
guardian-api.projectmin.org
tos_accepted: true
Kind: KongPlugin
Relevant ingress looks like this:
$ kubectl describe ingress/acme
Name: acme
Namespace: kong
Address: 40.64.105.12
Default backend: default-http-backend:80 (<error: endpoints "default-http-backend" not found>)
Rules:
Host Path Backends
---- ---- --------
kongtroller.projectmin.org
/.well-known/acme-challenge acme-dummy:80 (<none>)
Annotations: konghq.com/plugins: acme
Ingress points to this svc (selector pointing to nothing)
$ kubectl describe svc/acme-dummy
Name: acme-dummy
Namespace: kong
Labels: <none>
Annotations: Selector: app=acme-dummy
Type: ClusterIP
IP: 10.0.183.153
Port: <unset> 9999/TCP
TargetPort: 9999/TCP
Endpoints: <none>
Session Affinity: None
Events: <none>
Plugin domains configuration is set to:
"domains": [
"*.example.com",
"example.com"
],
Expected to generate for configured domains. Instead it generates for www.example.com and example.com.
Also, next time subdomain1.exmaple.com is requested, it will generate a certificate for subdomain1.example.com. This will cause issues with Letsencrypt when you have many sub domains (monthly limit reached). Instead it should only generate *.example.com (supported).
cant seem to make this work with 301 redirects on routes from http to https should i disable it? also does it need http method enabled on routes to work?
Hey guys,
it might sound stupid, but I am struggling to add more than one domain at once.
I tried almost every possible combination for the input data:
All I ever get is a error message like this:
{
"message": "schema violation (config.domains: {\n \"invalid hostname: domain1.com domain2.com\"\n})",
"name": "schema violation",
"fields": {
"config": {
"domains": [
"invalid hostname: domain1.com domain2.com"
]
}
},
"code": 2
}I also checked the code for all the schema definitions and also the Kong source code to find out more about the expected format, but can't even find something useful there...
What do I have to do to get a result similar to the situation described in #11 ?
Since Kong 1.2, the BasePlugin instantiation is no longer necessary and simply adds an unnecessary indirection in plugin calls.
Not working on kong which version below 1.3, because typedefs.hosts
Hello everyone. I have been trying for 2 days to enable the ACME Plugin, but with no good results. I didn't understand exactly what value this env KONG_LUA_SSL_TRUSTED_CERTIFICATE is supposed to have?
This is my .yml for kong docker:
reverse-proxy:
image: kong:latest
volumes:
- load-balancer-kong-nfs:/usr/local/kong/declarative
ports:
- 80:8000
- 443:8443
- 8001:8001
- 8444:8444
environment:
KONG_DATABASE: 'off'
KONG_DECLARATIVE_CONFIG: /usr/local/kong/declarative/kong.yml
KONG_PROXY_ACCESS_LOG: /dev/stdout
KONG_ADMIN_ACCESS_LOG: /dev/stdout
KONG_PROXY_ERROR_LOG: /dev/stderr
KONG_ADMIN_ERROR_LOG: /dev/stderr
KONG_ADMIN_LISTEN: 0.0.0.0:8001, 0.0.0.0:8444 ssl
deploy:
placement:
constraints: [node.role == manager]
I have succesfuly set up TLS Termination with Kong by using the old way, with "Certificates" object, but I would love to use the new Acme Plugin. Please help me.
Thank you in advance!
Hi,
I'm trying to figure out what is happening, my configuration looks well, I tested with the commands on the readme, but it doesn't run or generate the certificate. I don't know why.
And I'm using the plugin in database mode.
{
"api_uri": "https://acme-v02.api.letsencrypt.org",
"domains": [
"subdomain.domain.site"
],
"storage": "shm",
"cert_type": "rsa",
"tos_accepted": true,
"account_email": "[email protected]",
"storage_config": {
"shm": {
"shm_name": "kong"
},
"kong": {},
"redis": {
"auth": null,
"host": null,
"port": null,
"database": null
},
"vault": {
"host": null,
"port": null,
"https": true,
"token": null,
"kv_path": null,
"timeout": null
},
"consul": {
"host": null,
"port": null,
"https": true,
"token": null,
"kv_path": null,
"timeout": null
}
},
"renew_threshold_days": 14
}
Hi,
I noticed that accordingly with the logs, there was no attempt to renew the certificates. Some of my domains will expire in 13 days so I believe that the automatic renew is disabled or some of my configs are wrong.
How the renewal internally work? I couldn't find reference for a cron so I believe is there some kind of scheduler.
Kong version: 2.0.3 with acme plugin active
My acme plugin config extracted from Postgres database:
{
"api_uri":"https://acme-v02.api.letsencrypt.org",
"domains":[
"my_domains_are_listed_here"
],
"storage":"shm",
"cert_type":"rsa",
"tos_accepted":true,
"account_email":"my_is_email_here",
"storage_config":{
"shm":{
"shm_name":"kong"
},
"kong":{
},
"redis":{
"auth":null,
"host":null,
"port":null,
"database":null
},
"vault":{
"host":null,
"port":null,
"https":true,
"token":null,
"kv_path":null,
"timeout":null
},
"consul":{
"host":null,
"port":null,
"https":true,
"token":null,
"kv_path":null,
"timeout":null
}
},
"renew_threshold_days":30
}
I also noticed that the table acme_storage is empty. I created a new domain and generated a certificate for it to ensure that the reason for the empty table was not a bad db migration (which I did in the past).
10.0.0.35 - - [15/Feb/2020:17:29:11 +0000] "GET /.well-known/acme-challenge/qgKUJAHBSeiQ6Tq3jYhMBo-Yg3u9rkKAQdXvINoXEsE HTTP/1.1" 404 48 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
Letsencrypt try to access the acme-challenge path but this returns 404 from konga.
Any idea how to fix this? Do I need to set the routes manually for this plugin to work?
It is installed globally with basic configurations (Kong 2.0.1).
{
"created_at": 1581790887,
"config": {
"storage_config": {
"redis": {
"auth": null,
"port": null,
"database": null,
"host": null
},
"shm": {
"shm_name": "kong"
},
"vault": {
"host": null,
"port": null,
"token": null,
"timeout": null,
"https": true,
"kv_path": null
},
"kong": {},
"consul": {
"host": null,
"port": null,
"token": null,
"timeout": null,
"https": true,
"kv_path": null
}
},
"cert_type": "rsa",
"tos_accepted": true,
"storage": "kong",
"domains": [
"*.DOMAIN.dev",
"DOMAIN.dev"
],
"api_uri": "https://acme-v02.api.letsencrypt.org",
"account_email": "[email protected]",
"renew_threshold_days": 14
},
"id": "XXXX",
"service": null,
"enabled": true,
"protocols": [
"grpc",
"grpcs",
"http",
"https"
],
"name": "acme",
"consumer": null,
"route": null,
"tags": null
}
Hello, currently I have a Kong API Gateway running through my single node docker swarm with a few API’s behind it, I’m totally able to reach each of the trough each route, but only through HTTP.
I have installed the ACME plugin, although it’s not clear to me how I should configure it in order to trigger the creation of the certificates for each service.
If I run:
curl http://127.0.0.1:8001/acme -d host=mydomain.com -d test_http_challenge_flow=true
It returns:
{"message":"sanity test for host mydomain.com passed"}
But, if I try
curl http://127.0.0.1:8001/acme -d host=mydomain.com
It returns:
{"message":"failed to update certificate: could not create certificate: challenge invalid: http-01: invalid: Invalid response from http:\/\/mydomain\/.well-known\/acme-challenge\/cfbSYzt39OWFm9bObeoL3T7gidAVLRmn1dm7iscz15s [myserverip]: 404"}
This is the container log:
_kong.2.u8d8srbp9lcy@vps-2c1ec9df | 2020/12/11 15:28:38 [warn] 21#0: *5536 [lua] http-01.lua:54: serve_challenge(): no corresponding response found for YCRxFSgSzaaWlT3kohB-WzxWiVpExHRacdFNXy3xroM, client: 10.0.0.2, server: kong, request: "GET /.well-known/acme-challenge/YCRxFSgSzaaWlT3kohB-WzxWiVpExHRacdFNXy3xroM HTTP/1.1", host: "mydomain.com
kong_kong.2.u8d8srbp9lcy@vps-2c1ec9df | 10.0.0.2 - - [11/Dec/2020:15:28:38 +0000] "GET /.well-known/acme-challenge/YCRxFSgSzaaWlT3kohB-WzxWiVpExHRacdFNXy3xroM HTTP/1.1" 404 27 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
Hi!
I'm trying to setup and test this plugin on my local machine before production deployment, but I'm having no luck getting through the sanity checks or any kind of test.
First, here's my kong config snippet for the dummy service/route:
For example, I tried using ngrok and the sanity check:
$ curl -i http://localhost:8001/acme -d host=0d8ce8edd004.ngrok.io -d test_http_challenge_flow=true
HTTP/1.1 400 Bad Request
Date: Wed, 24 Mar 2021 20:43:08 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Access-Control-Allow-Origin: *
Content-Length: 284
X-Kong-Admin-Latency: 171
Server: kong/2.3.3
{"message":"problem found running sanity check for 0d8ce8edd004.ngrok.io: unexpected response found :<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n<meta charset=\"utf-8\">\n<title>Error</title>\n</head>\n<body>\n<pre>Cannot GET /.well-known/acme-challenge/x</pre>\n</body>\n</html>\n"}
Here's my config snippet for the service:
- connect_timeout: 60000
name: acme-challenge
url: http://mockbin.org
port: 80
protocol: http
read_timeout: 60000
retries: 0
write_timeout: 60000
routes:
- hosts:
- localhost
- 0d8ce8edd004.ngrok.io
name: acme-challenge-well-known
paths:
- /.well-known/acme-challenge
- /.well-known/test
- /.not-well-known
#preserve_host: true
protocols:
- http
regex_priority: 0
strip_path: false
And for the plugin:
- name: acme
enabled: true
config:
account_email: [email protected]
tos_accepted: true
storage: kong
Tried with tunnelme as an alternative to ngrok, with the same result.
I thought the acme plugin would take over the routing? Is there something I'm misunderstanding about the required configuration?
Thanks!
Hi. I'm using this plugin (v0.2.7-1) in DB less mode with Redis.
The plugin renews the certificate correctly. However does not replace the used certificate by Kong (Nginx of course), in other words, when I request the API via browser it still shows the previous certificate not the new one. For that I need to restart Kong (I'm using the docker image v2.0.5 so I restart the Kong container).
This is the expected behavior or the plugin should replace by itself the certificate used by Kong when renews it?
This is my configuration in the declarative file:
plugins:
- name: acme
config:
account_email: <email>
domains:
- <domain>
renew_threshold_days: 30
storage: redis
storage_config:
redis:
auth: <pass>
port: 6379
database: 0
host: redis
tos_accepted: true
In my kong.conf I have:
lua_ssl_trusted_certificate = /etc/ssl/certs/ca-certificates.crt
I'm trying to use the ACME plugin to automatically provision TLS certs from LetsEncrypt and have run into a clash with the basic auth plugin. Presumably this will affect other kinds of auth too.
The setup is a simple one:
Ingress resource (path /) that is translated to a route by the Kong ingress controller. This is for the Kong admin service, which of course should not be exposed without auth. As the path is / I think this satisfies the requirement that /.well-known/acme-challenge/... fall inside a route served by Kong.KongPlugin containing an instance of the basic auth plugin with a single KongConsumer setup. I've tested this and auth is being applied correctly.KongClusterPlugin setting up the acme plugin. As it is a cluster-level plugin this will apply to all routes.As expected the acme plugin tries to get a cert from LetsEncrypt. But LE's calls to http://my.domain/.well-known/acme-challenge/... are met with a 401 response.
To verify there isn't some other problem with the setup I've tried again with basic auth disabled; in that case the acme plugin is able to get a cert without any problem.
I believe what's wrong is that the ACME plugin runs with a lower priority (999) than basic-auth's (1001). Unfortunately at the present time Kong gives no way for the user to adjust plugin priorities. I cannot think of any reason why a user would want their ACME responses protected by auth, so please can the priority be adjusted so that the acme plugin runs first?
hello i am running kong from official docker :latest and :2.1 trying to set acme plugin i have dummy service and route and when i am trying to invoke domain with curl -k i get this :
handler.lua:104 failed to update certificate: acme directory request failed: 18: self signed certificate
db is postgres:9 have this KONG_LUA_SSL_TRUSTED_CERTIFICATE: /etc/ssl/certs/ca-certificates.crt in env
it seems that it doesn't like /etc/ssl/certs/ca-certificates.crt i checked file is there…
Hi
I have some problems with renewing my certificates.
When I create a new one, it works well because I still don't have a route to redirect the requests to my cluster.
Once I create the route(on Kong Service), the requests will be redirected, after this, the renewing doesn't work.
What I do to solve this is removing the route(on Kong Service), and remove the certificate, and create it again.
I'm tried to force and renew with curl http://localhost:8001/acme -d host=domain.com, and I receive the request from Letsencrypt. But didn't renew the certificate(below is a picture).
Is there any other option to solve this?
I'm using Kong with Docker, version 2.1.4, and ACME with Redis.
Conf.:
docker run -d --name kong \
--network=kong-net \
--restart unless-stopped \
-e "KONG_DATABASE=postgres" \
-e "KONG_PG_HOST=127.0.0.1" \
-e "KONG_PG_PORT=5432" \
-e "KONG_PG_PASSWORD=pass" \
-e "KONG_CASSANDRA_CONTACT_POINTS=127.0.0.1" \
-e "KONG_PROXY_ACCESS_LOG=/dev/stdout" \
-e "KONG_ADMIN_ACCESS_LOG=/dev/stdout" \
-e "KONG_PROXY_ERROR_LOG=/dev/stderr" \
-e "KONG_ADMIN_ERROR_LOG=/dev/stderr" \
-e "KONG_ADMIN_LISTEN=0.0.0.0:8001, 0.0.0.0:8444 ssl" \
-e "KONG_PROXY_LISTEN=0.0.0.0:80, 0.0.0.0:443 ssl" \
-e "KONG_NGINX_PROXY_PROXY_BUFFER_SIZE=256k" \
-e "KONG_NGINX_PROXY_PROXY_BUFFERS=64 512k" \
-e "KONG_NGINX_PROXY_PROXY_BUSY_BUFFERS_SIZE=512k" \
-e "KONG_LUA_SSL_TRUSTED_CERTIFICATE=/etc/ssl/certs/ca-certificates.crt" \
-p 80:80 \
-p 443:443 \
-p 8001:8001 \
kong:2.1.4
How to disign port when create or renew certificate
Hi,
the periodic renew routine is causing always the bellow error. Any idea why?
Debug log:
2020/08/03 18:49:34 [info] 22#0: *2460 [kong] client.lua:326 renew storage configured in acme plugin: ee8cd615-32c6-4bfe-8022-b3c1c7dcd49f, context: ngx.timer
2020/08/03 18:49:34 [debug] 22#0: *2460 [lua] events.lua:211: do_event(): worker-events: handling event; source=dao:crud, event=update, pid=nil, data=table: 0x7f646cede748
2020/08/03 18:49:34 [debug] 22#0: *2460 [lua] cache.lua:300: invalidate_local(): [DB cache] invalidating (local): 'acme_storage:kong_acme:renew_last_run::::'
2020/08/03 18:49:34 [debug] 22#0: *2460 [lua] events.lua:211: do_event_json(): worker-events: handling event; source=mlcache, event=mlcache:invalidations:kong_db_cache, pid=22, data=acme_storage:kong_acme:renew_last_run::::
2020/08/03 18:49:34 [debug] 22#0: *2460 [lua] cache.lua:321: invalidate(): [DB cache] broadcasting (cluster) invalidation for key: 'acme_storage:kong_acme:renew_last_run::::' with delay: 'none'
2020/08/03 18:49:34 [debug] 22#0: *2460 [lua] events.lua:211: do_event(): worker-events: handling event; source=crud, event=acme_storage, pid=nil, data=table: 0x7f646cede748
2020/08/03 18:49:34 [debug] 22#0: *2460 [lua] events.lua:211: do_event(): worker-events: handling event; source=crud, event=acme_storage:update, pid=nil, data=table: 0x7f646cede748
2020/08/03 18:49:34 [error] 22#0: *2460 lua entry thread aborted: runtime error: /usr/local/share/lua/5.1/resty/openssl/x509/init.lua:278: attempt to index local 'self' (a nil value)
stack traceback:
coroutine 0:
/usr/local/share/lua/5.1/resty/openssl/x509/init.lua: in function 'get_not_after'
/usr/local/share/lua/5.1/kong/plugins/acme/client.lua:287: in function 'renew_certificate_storage'
/usr/local/share/lua/5.1/kong/plugins/acme/client.lua:327: in function </usr/local/share/lua/5.1/kong/plugins/acme/client.lua:311>, context: ngx.time
Kong version 2.0.3. Tryed 2.1.0 and the error is the same.
Thank you.
Hello,
I've been testing the acme plugin on my kong hybrid mode setup which consists of 1 control plane and 1 data plane node.
I did not see any section in the documentation specifically pertaining to kong hybrid mode setups so I'll post my issue here and hope it gets picked up or someone can point me in the right direction.
The issue I have encountered is that the plugin does not function when setting storage to kong, the /.well-known/acme-challenge is not intercepted, i.e., the path /.well-known/acme-challenge/x does not return Not Found.
I'm assuming this is due to the nature of hybrid mode, the data plane is technically running in "DB-less" mode, although the control plane does have a Postgres DB.
To check if it is indeed selecting kong as the storage that is causing the plugin to not function, I changed the storage to shm and the plugin started working as querying the acme-challenge path does return a Not Found.
As I would like my certs to persist even with restarts, but the kong storage was not working, I chose vault for storage and input the relevant configs to connect with my vault instance. This is where I observed some inconsistencies in cert storage location.
If I triggered a cert creation or renewal from the control plane with the provided command
curl http://localhost:8001/acme -d host=mydomain.com the certs and keys actually get stored in the Postgres DB under certificates table, while some other configs for the certs are stored in vault.
If I triggered a cert creation by hitting the domain using curl https://mydomain.com -k instead, the certs are stored in vault together with the relevant configs.
This is my first attempt at configuring Kong and the acme plugin and may have missed out some details.
Ideally, I would be able to get the plugin to work with storage as kong and leave vault out of the equation entirely as that would be an additional dependency. But if that is not possible due to the nature of hybrid mode then I hope there can be some guidance on how to prevent the inconsistency in cert storage location so that the entire setup can be cleaner.
Thanks in advance!
Hello!
Im sorry if this problem has been resolved, but I haven't been able to fix it yet.
What happens is that I can successfully renew the certificate manually, but it automatically fails and I get a 404 error code back.
The following error logs occur to me:
[warn] 26#0: *22963418 [lua] http-01.lua:54: serve_challenge(): no corresponding response found for MyCRY_0K7bQ5rcf2wFGLBZ13KDNNywO24TKvSN-pBc8, client: 64.78.149.164, server: kong, request: "GET /.well-known/acme-challenge/MyCRY_0K7bQ5rcf2wFGLBZ13KDNNywO24TKvSN-pBc8 HTTP/1.1", host: "subdomain.demo.mydomain.com"
"GET /.well-known/acme-challenge/MyCRY_0K7bQ5rcf2wFGLBZ13KDNNywO24TKvSN-pBc8 HTTP/1.1" 404 27 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
[lua] certificate.lua:38: log(): [ssl] failed to fetch SNI: failed to fetch 'my_server_ip SNI: [postgres] must not be an IP, context: ssl_certificate_by_lua*, client: 64.62.197.62, server: 0.0.0.0:8443
Thank you in advance for your answer!
We have noticed that some of our domain certificates aren't getting renewed by the scheduled worker process but works fine when we use the /acme -d [domain] endpoint (version 0.2.10).
Looking at the code for client.renew_certificate(), it seems the following line of code returns from the loop when update_certificate() fails for a domain
https://github.com/Kong/kong-plugin-acme/blob/master/kong/plugins/acme/client.lua#L367
For us this was failing due to a http-01 challenge failure as the particular domain isn't pointing to us anymore.
Shouldn't it be continuing with the loop rather than returning, so that it renews the rest of the domains in the storage? Or is there a recommended alternative for handling this case?
trying to use plugin on 2.0.0 kong i can see it exists in racks folder but when i calll kong admin to enable it it says couldnt be found do i need to enable it some other way?
Hi, I am experiencing a weird issue. Looking at the log file, i get the following error:
stack traceback:
coroutine 0:
[C]: in function '__index'
/usr/local/openresty/lualib/resty/core/socket_tcp.lua:91: in function 'tlshandshake'
/usr/local/openresty/lualib/resty/core/socket_tcp.lua:164: in function 'ssl_handshake'
/usr/local/share/lua/5.1/resty/http.lua:920: in function 'request_uri'
/usr/local/share/lua/5.1/resty/acme/client.lua:100: in function 'init'
/usr/local/share/lua/5.1/kong/plugins/acme/client.lua:82: in function 'order'
/usr/local/share/lua/5.1/kong/plugins/acme/client.lua:214: in function 'update_certificate'
/usr/local/share/lua/5.1/kong/plugins/acme/handler.lua:102: in function </usr/local/share/lua/5.1/kong/plugins/acme/handler.lua:101>, context: ngx.timer, client: 89.218.8.110, server: 0.0.0.0:8443
in my kong.conf I have the line:
nginx_proxy_lua_ssl_trusted_certificate = /etc/ssl/certs/ca-certificates.crt
output of ls -lah /etc/ssl/certs/ca-certificates.crt i get:
-rw-r--r-- 1 root root 203K Nov 27 04:09 /etc/ssl/certs/ca-certificates.crt
I have below error when I want to create a new certificate .
{"message":"UNIQUE violation detected on '{consumer=null,name="acme",route=null,service=null}'","name":"unique constraint violation","fields":{"service":null,"name":"acme","route":null,"consumer":null},"code":5
the installation was followed with this below guide:
https://docs.konghq.com/hub/kong-inc/acme/#create-certificates
but I can't create and enable certificate with any addresses, you can see errors :
$ curl http://localhost:8001/service \
-d name=acme-dummy \ -d url=http://127.0.0.1:65535
{"message":"Not found"}
$ curl http://localhost:8001/routes
-d name=acme-dummy
-d paths[]=/.well-known/acme-challenge
-d service.name=acme-dummy
{"id":"85cc0abe-e21b-4c9c-962c-42a898054b56","path_handling":"v0","paths":["/.well-known/acme-challenge"],"destinations":null,"headers":null,"protocols":["http","https"],"created_at":1596298015,"snis":null,"service":{"id":"8e6a71a5-1ca7-48c2-b090-2c67e770006c"},"name":"acme-dummy","strip_path":true,"preserve_host":false,"regex_priority":0,"updated_at":1596298015,"sources":null,"methods":null,"https_redirect_status_code":426,"hosts":null,"tags":null}
$ curl http://localhost:8001/plugins
-d name=acme
-d config.account_email=[email protected]
-d config.tos_accepted=true
-d config.domains[]=my.secret.domains.com
{"message":"UNIQUE violation detected on '{consumer=null,name="acme",route=null,service=null}'","name":"unique constraint violation","fields":{"service":null,"name":"acme","route":null,"consumer":null},"code":5}
what is the problem?
how can I resolve this problem?
thanks
Hello!
I am trying to couple Kong with Vault for certificate persistent storage. I managed to spin up the Vault and Kong services, I got a certificate, so far, so good, but I needed to restart the Kong service and my certificate was lost. Could someone tell me why this happened?
The stack file:
version: "3.8"
services:
vault:
image: vault
volumes:
- vault-config-nfs:/vault/config
- vault-file-nfs:/vault/file
reverse-proxy:
image: kong:latest
volumes:
- load-balancer-kong-nfs:/usr/local/kong/declarative
ports:
- 80:8000
- 443:8443
- 8001:8001
- 8444:8444
environment:
KONG_DATABASE: 'off'
KONG_DECLARATIVE_CONFIG: /usr/local/kong/declarative/kong.yml
KONG_PROXY_ACCESS_LOG: /dev/stdout
KONG_ADMIN_ACCESS_LOG: /dev/stdout
KONG_PROXY_ERROR_LOG: /dev/stderr
KONG_ADMIN_ERROR_LOG: /dev/stderr
KONG_ADMIN_LISTEN: 0.0.0.0:8001, 0.0.0.0:8444 ssl
KONG_LUA_SSL_TRUSTED_CERTIFICATE: /etc/ssl/cert.pem
deploy:
placement:
constraints: [node.role == manager]
volumes:
load-balancer-kong-nfs:
driver: nfs
driver_opts:
share: nfs-ip/load-balancer/kong-config
vault-config-nfs:
driver: nfs
driver_opts:
share: nfs-ip/vault/config
vault-file-nfs:
driver: nfs
driver_opts:
share: nfs-ip/vault/file
The kong.yml file:
_format_version: "1.1"
services:
- name: dummy-lb
url: http://dummy_api-gateway:8000
routes:
- name: dummy-api-gateway
hosts:
- dns1.dummy.com
- dns2.dummy.com
preserve_host: true
paths:
- /
plugins:
- name: acme
config:
account_email: [email protected]
domains:
- dns1.dummy.com
- dns2.dummy.com
tos_accepted: true
storage_config:
vault:
host: vault
port: 8200
kv_path: acme
token: nil
timeout: 2000
The Vault config file:
{
"backend": {
"file": {
"path": "/vault/file"
}
},
"default_lease_ttl": "336h",
"max_lease_ttl": "8760h",
"disable_mlock": true
}
I got my cert using the command from the examample: curl https://dns1.dummy.com -k but after i restarted my KONG service, the certificate was gone. I thought I have to use Vault because it persists the certificate.
Please help me! Thank you in advance!
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.