Comments (24)
Hi @lukasa1993, can you share the full kong.conf or any other environment variables you are passing to the container?
from kong-plugin-acme.
kong:
image: kong:2.1
container_name: kong
environment:
KONG_PROXY_ACCESS_LOG: /dev/stdout
KONG_ADMIN_ACCESS_LOG: /dev/stdout
KONG_PROXY_ERROR_LOG: /dev/stderr
KONG_ADMIN_ERROR_LOG: /dev/stderr
KONG_ADMIN_LISTEN: '0.0.0.0:8001'
KONG_LUA_SSL_TRUSTED_CERTIFICATE: /etc/ssl/certs/ca-certificates.crt
KONG_CASSANDRA_CONTACT_POINTS: db
KONG_DATABASE: 1
KONG_PG_DATABASE: 2
KONG_PG_HOST: 3
KONG_PG_USER: 4
KONG_PG_PASSWORD: 5
networks:
- kong
ports:
- "80:8000/tcp"
- "127.0.0.1:8001:8001/tcp"
- "443:8443/tcp"
- "127.0.0.1:8444:8444/tcp"
healthcheck:
test: ["CMD", "kong", "health"]
interval: 10s
timeout: 10s
retries: 10
restart: always
this is all i don't have custom kong.conf
i tried :latest as well same error
from kong-plugin-acme.
thanks for sharing that. now i realize the error is self signed certificate
. if it's indeed the KONG_LUA_SSL_TRUSTED_CERTIFICATE
not taking effect, the error will be unable to verify local issuer certificate
.
so my next question will be what's the api_url
you set for the acme plugin? is it an internal CA other than let's encrypt?
from kong-plugin-acme.
@fffonion what you mean api_url ? i used exact same samples as in readme i have acme-dummy service and rout CA cert is whatever comes in docker img i haven't put it my self
from kong-plugin-acme.
@lukasa1993 do you have any other config fields other than those when adding the plugin?
$ curl http://localhost:8001/plugins \
-d name=acme \
-d [email protected] \
-d config.tos_accepted=true \
-d config.domains[]=my.secret.domains.com \
-d config.domains[]=my.anoother.secret.domains.com
from kong-plugin-acme.
i changed storage to KONG
but not in same command otherwise its same
from kong-plugin-acme.
but i changed storage to kong after it wasn't working already
from kong-plugin-acme.
emm i can't reproduce that error on my side. could you send me the docker image ID/hash you are using? it can be viewed by running docker images
from kong-plugin-acme.
please also share the localhost:8001/plugins
endpoint output
from kong-plugin-acme.
kong latest 6cd6bc3dc612 6 days ago 146MB
kong 2.1 0d03308d3ec7 6 days ago 147MB
{"next":null,"data":[{"created_at":1594839403,"id":"974d46cd-0ae2-4770-a832-2d2d1972ed3e","tags":null,"enabled":true,"protocols":["grpc","grpcs","http","https"],"name":"acme","consumer":null,"service":null,"route":null,"config":{"storage_config":{"redis":{"auth":null,"port":null,"database":null,"host":null},"shm":{"shm_name":"kong"},"vault":{"host":null,"port":null,"token":null,"timeout":null,"https":false,"tls_server_name":null,"kv_path":null,"tls_verify":true},"kong":{},"consul":{"host":null,"port":null,"token":null,"timeout":null,"https":false,"kv_path":null}},"cert_type":"rsa","tos_accepted":true,"storage":"kong","domains":["example.com"],"api_uri":"https:\/\/acme-v02.api.letsencrypt.org\/directory","account_email":"[email protected]","renew_threshold_days":14}},{"created_at":1595156003,"id":"fced96c8-dced-46cd-b07c-9338e0efc8f2","tags":null,"enabled":false,"protocols":["grpc","grpcs","http","https"],"name":"basic-auth","consumer":null,"service":null,"route":{"id":"e931b780-fe8b-4c1b-8dda-364554c78321"},"config":{"hide_credentials":true,"anonymous":null}}]}
@fffonion i swapped actual email and domain but rest is exact same
from kong-plugin-acme.
those looks good to me. thanks!
let's try this:
create this file under /tmp/a.lua
local http = require "resty.http"
local hc = http.new()
local a, err = hc:request_uri("https://acme-v02.api.letsencrypt.org/directory")
ngx.say(err)
ngx.say(a and a.body)
run
docker run --rm -it -v /tmp/a.lua:/tmp/a.lua kong:2.1 \
/usr/local/openresty/bin/resty \
--http-conf "lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;" \
/tmp/a.lua
from kong-plugin-acme.
1@2:~$ vim /tmp/a.lua
1@2:~$ docker run --rm -it -v /tmp/a.lua:/tmp/a.lua kong:2.1 \
> /usr/local/openresty/bin/resty \
> --http-conf "lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;" \
> /tmp/a.lua
{
"_KAgDpY3LBc": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
@fffonion seems this worked
from kong-plugin-acme.
didn't meant it solve problem :) it just returned something
from kong-plugin-acme.
@lukasa1993 yeah that at least verifies the environment is sane. btw you are still seeing that error log right, meaning it's not an ephemeral thing from let's encrypt side.
from kong-plugin-acme.
@fffonion still there i am trying every day same error
from kong-plugin-acme.
atm i am using letsencypt cert from certbot on same server and domain without issue
from kong-plugin-acme.
i still suspect the issue is not related to trusted certificate, as the error message indicates otherwise.
okay let's try to see if the network kong lives is behaving correctly:
docker exec
into the created kong container, and run awget https://acme-v02.api.letsencrypt.org/directory -O -
- try use a different network in the docker compose file, probably the default
bridge
orhost
network. is there a custom DNS responder in thekong
network you are using?
from kong-plugin-acme.
docker exec -it kong bash
bash-5.0$ wget https://acme-v02.api.letsencrypt.org/directory -O -
Connecting to acme-v02.api.letsencrypt.org (172.65.32.248:443)
writing to stdout
{
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert",
"xPXvcw5Zpwc": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
- 100% |******************************************************************| 658 0:00:00 ETA
written to stdout
bash-5.0$
@fffonion i use bridge network no dns setup that i have done its all default
from kong-plugin-acme.
umm it worked just now for no apparent reason :(
from kong-plugin-acme.
emmm okay this is really weird
from kong-plugin-acme.
@fffonion issue came back after restartโฆ no idea what fixed it and why its back
from kong-plugin-acme.
@lukasa1993 I would still put my 5 cents on the network/environment you are running but not plugin itself. Since the let's encrypt API is not likely a self-signed certificate. But it could also be some deeper bug from connection reuse or something.
I have a super hacky idea for debugging this ๐
on kong/plugins/acme/client.lua before Line 93:
local err = acme_client:init()
if err then
-- add following
local http = require "resty.http"
local httpc = http.new()
local res, err = httpc:request_uri("https://acme-v02.api.letsencrypt.org/directory", {
method = "GET",
ssl_verify = false,
})
ngx.log(ngx.ERR, "response without ssl_verify: ", res and res.body, " error: ", err)
return nil, nil, err
end
you can modify the file in host and bind mount into container, try to capture the error log when you saw the error again.
from kong-plugin-acme.
Closing for inactivity, @lukasa1993 feel free to reopen or create a new issue if you are still seeing issues.
from kong-plugin-acme.
Closing for inactivity, @lukasa1993 feel free to reopen or create a new issue if you are still seeing issues.
hard to replicate still chasing when that happens seems random
from kong-plugin-acme.
Related Issues (20)
- Fails to obain certificate, getting strange error log HOT 1
- Add multiple domains at once HOT 2
- Plugin doesn't work HOT 2
- Question: certs renew HOT 9
- Plugin error in dbless mode HOT 4
- What is the purpose of KONG_LUA_SSL_TRUSTED_CERTIFICATE with Kong Docker in DBless mode? HOT 6
- Problems with certificate persistence HOT 43
- Should add Kong version dependency HOT 1
- ACME responses are blocked by auth plugins HOT 4
- UNIQUE violation detected HOT 2
- Periodic renew throwing an error HOT 11
- Failed to renew certs when http-01 fails for a domain HOT 3
- Certificate renewed but not used by Kong HOT 14
- Problems renewing the certificates HOT 7
- Failing to generate ACME certificates HOT 8
- How to disign port when create or renew certificate HOT 2
- local testing issues HOT 2
- no corresponding response found for.... HOT 5
- selecting 'kong' storage does not work and inconsistent behaviour of cert storage location when using vault as storage when running kong in hybrid mode HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kong-plugin-acme.