SSL connection to cassandra cluster

[mrafieee]

Note: GitHub issues should be reserved only for bug reports. Please use the
Kong mailing list or
Gitter for user support, development
questions, feature requests, etc.

Summary

I am running kong on docker although local cassandra container is working fine while I'm trying to connect to my cassandra cluster over ssl, I'm receiving this error

/usr/local/share/lua/5.1/kong/cmd/start.lua:18: [cassandra error] all hosts tried for query failed. x.x.x.x: SSL handshake: certificate verify failed. x.x.x.x: SSL handshake: certificate verify failed. x.x.x.x: SSL handshake: certificate verify failed
stack traceback:
	[C]: in function 'assert'
	/usr/local/share/lua/5.1/kong/cmd/start.lua:18: in function 'cmd_exec'
	/usr/local/share/lua/5.1/kong/cmd/init.lua:88: in function </usr/local/share/lua/5.1/kong/cmd/init.lua:88>
	[C]: in function 'xpcall'
	/usr/local/share/lua/5.1/kong/cmd/init.lua:88: in function </usr/local/share/lua/5.1/kong/cmd/init.lua:45>
	/usr/local/bin/kong:5: in function 'file_gen'
	init_worker_by_lua:38: in function <init_worker_by_lua:36>
	[C]: in function 'pcall'
	init_worker_by_lua:45: in function <init_worker_by_lua:43>

My kong version is 0.10.2
these are my log seems that all needed variables are being picked via environment variables

2017/05/12 18:27:29 [debug] KONG_LUA_SSL_VERIFY_DEPTH ENV found with "5"
2017/05/12 18:27:29 [debug] KONG_CASSANDRA_CONTACT_POINTS ENV found with "x.x.x.x"
2017/05/12 18:27:29 [debug] KONG_LUA_SSL_TRUSTED_CERTIFICATE ENV found with "/root/cluster-ca-certificate.pem"
2017/05/12 18:27:29 [debug] KONG_CASSANDRA_PASSWORD ENV found with "******"
2017/05/12 18:27:29 [debug] KONG_NGINX_DAEMON ENV found with "off"
2017/05/12 18:27:29 [debug] KONG_CASSANDRA_USERNAME ENV found with "iccassandra"
2017/05/12 18:27:29 [debug] KONG_CASSANDRA_SSL_VERIFY ENV found with "on"
2017/05/12 18:27:29 [debug] KONG_DATABASE ENV found with "cassandra"
2017/05/12 18:27:29 [debug] KONG_CASSANDRA_SSL ENV found with "on"

my certificate is working fine when I'm trying cqlsh
Do we have an open issue for this?

Steps To Reproduce

1. run cassandra with SSL secured
2. change environment varaibales to SSL secured cassandra
3. pass certificate as pem
   4.run docker container from https://github.com/Mashape/docker-kong

Additional Details & Logs

• Kong version (0.10.2)
• Kong debug-level startup logs ($ kong start --vv)
• Kong error logs (<KONG_PREFIX>/logs/error.log)
• Kong configuration (registered APIs/Plugins & configuration file)
• Operating System

[ukayani]

+1

[thibaultcha]

Hi,

Thanks for the report. A fix is in #2531, which depends on thibaultcha/lua-cassandra#95.

[mrafieee]

if this will be the new release in lua-cassandra kong-0.10.2-0.rockspec should be updated with the new version of lua-cassandra

[thibaultcha]

@mrafieee Now that lua-cassandra 1.2.2 has been released, would you mind applying the patch at #2531 on your side and letting us know if your SSL connection issues are resolved? Thanks!

[mrafieee]

@thibaultcha sure can you help me make a rpm out of source code or change lua-cassandra version to 1.2.2 I am currently using https://github.com/Mashape/kong/releases/download/0.10.2/kong-0.10.2.aws.rpm thanks!

[mrafieee]

@thibaultcha we do not have that issue any more while verify is off but in another step it fails

KONG_CASSANDRA_SSL_VERIFY=off

2017/05/18 21:56:23 [verbose] Kong: 0.10.2
2017/05/18 21:56:23 [debug] ngx_lua: 10007
2017/05/18 21:56:23 [debug] nginx: 1011002
2017/05/18 21:56:23 [debug] Lua: LuaJIT 2.1.0-beta2
2017/05/18 21:56:23 [verbose] no config file found at /etc/kong/kong.conf
2017/05/18 21:56:23 [verbose] no config file found at /etc/kong.conf
2017/05/18 21:56:23 [verbose] no config file, skipping loading
2017/05/18 21:56:23 [debug] KONG_CASSANDRA_CONTACT_POINTS ENV found with "x.x.x.x"
2017/05/18 21:56:23 [debug] KONG_LUA_SSL_TRUSTED_CERTIFICATE ENV found with "/root/cluster-ca-certificate.pem"
2017/05/18 21:56:23 [debug] KONG_CASSANDRA_PASSWORD ENV found with "******"
2017/05/18 21:56:23 [debug] KONG_NGINX_DAEMON ENV found with "off"
2017/05/18 21:56:23 [debug] KONG_CASSANDRA_USERNAME ENV found with "**********"
2017/05/18 21:56:23 [debug] KONG_CASSANDRA_SSL_VERIFY ENV found with "off"
2017/05/18 21:56:23 [debug] KONG_DATABASE ENV found with "cassandra"
2017/05/18 21:56:23 [debug] KONG_CASSANDRA_SSL ENV found with "on"
2017/05/18 21:56:23 [debug] admin_listen = "0.0.0.0:8001"
2017/05/18 21:56:23 [debug] admin_listen_ssl = "0.0.0.0:8444"
2017/05/18 21:56:23 [debug] admin_ssl = true
2017/05/18 21:56:23 [debug] anonymous_reports = true
2017/05/18 21:56:23 [debug] cassandra_consistency = "ONE"
2017/05/18 21:56:23 [debug] cassandra_contact_points = {"x.x.x.x"}
2017/05/18 21:56:23 [debug] cassandra_data_centers = {"dc1:2","dc2:3"}
2017/05/18 21:56:23 [debug] cassandra_keyspace = "kong"
2017/05/18 21:56:23 [debug] cassandra_lb_policy = "RoundRobin"
2017/05/18 21:56:23 [debug] cassandra_password = "******"
2017/05/18 21:56:23 [debug] cassandra_port = 9042
2017/05/18 21:56:23 [debug] cassandra_repl_factor = 1
2017/05/18 21:56:23 [debug] cassandra_repl_strategy = "SimpleStrategy"
2017/05/18 21:56:23 [debug] cassandra_schema_consensus_timeout = 10000
2017/05/18 21:56:23 [debug] cassandra_ssl = true
2017/05/18 21:56:23 [debug] cassandra_ssl_verify = false
2017/05/18 21:56:23 [debug] cassandra_timeout = 5000
2017/05/18 21:56:23 [debug] cassandra_username = "**********"
2017/05/18 21:56:23 [debug] cluster_listen = "0.0.0.0:7946"
2017/05/18 21:56:23 [debug] cluster_listen_rpc = "127.0.0.1:7373"
2017/05/18 21:56:23 [debug] cluster_profile = "wan"
2017/05/18 21:56:23 [debug] cluster_ttl_on_failure = 3600
2017/05/18 21:56:23 [debug] custom_plugins = {}
2017/05/18 21:56:23 [debug] database = "cassandra"
2017/05/18 21:56:23 [debug] dns_hostsfile = "/etc/hosts"
2017/05/18 21:56:23 [debug] dns_resolver = {}
2017/05/18 21:56:23 [debug] latency_tokens = true
2017/05/18 21:56:23 [debug] log_level = "notice"
2017/05/18 21:56:23 [debug] lua_code_cache = "on"
2017/05/18 21:56:23 [debug] lua_package_cpath = ""
2017/05/18 21:56:23 [debug] lua_package_path = "?/init.lua;./kong/?.lua"
2017/05/18 21:56:23 [debug] lua_socket_pool_size = 30
2017/05/18 21:56:23 [debug] lua_ssl_trusted_certificate = "/root/cluster-ca-certificate.pem"
2017/05/18 21:56:23 [debug] lua_ssl_verify_depth = 1
2017/05/18 21:56:23 [debug] mem_cache_size = "128m"
2017/05/18 21:56:23 [debug] nginx_daemon = "off"
2017/05/18 21:56:23 [debug] nginx_optimizations = true
2017/05/18 21:56:23 [debug] nginx_worker_processes = "auto"
2017/05/18 21:56:23 [debug] pg_database = "kong"
2017/05/18 21:56:23 [debug] pg_host = "127.0.0.1"
2017/05/18 21:56:23 [debug] pg_port = 5432
2017/05/18 21:56:23 [debug] pg_ssl = false
2017/05/18 21:56:23 [debug] pg_ssl_verify = false
2017/05/18 21:56:23 [debug] pg_user = "kong"
2017/05/18 21:56:23 [debug] prefix = "/usr/local/kong/"
2017/05/18 21:56:23 [debug] proxy_listen = "0.0.0.0:8000"
2017/05/18 21:56:23 [debug] proxy_listen_ssl = "0.0.0.0:8443"
2017/05/18 21:56:23 [debug] serf_path = "serf"
2017/05/18 21:56:23 [debug] server_tokens = true
2017/05/18 21:56:23 [debug] ssl = true
2017/05/18 21:56:23 [debug] upstream_keepalive = 60
2017/05/18 21:56:23 [verbose] prefix in use: /usr/local/kong
2017/05/18 21:56:24 [verbose] preparing nginx prefix directory at /usr/local/kong
2017/05/18 21:56:24 [verbose] saving serf identifier to /usr/local/kong/serf/serf.id
2017/05/18 21:56:24 [debug] searching for OpenResty 'resty' executable
2017/05/18 21:56:24 [debug] /usr/local/openresty/bin/resty -V: 'nginx version: openresty/1.11.2.2'
2017/05/18 21:56:24 [debug] found OpenResty 'resty' executable at /usr/local/openresty/bin/resty
2017/05/18 21:56:24 [verbose] saving serf shell script handler to /usr/local/kong/serf/serf_event.sh
2017/05/18 21:56:24 [verbose] SSL enabled, no custom certificate set: using default certificate
2017/05/18 21:56:24 [verbose] default SSL certificate found at /usr/local/kong/ssl/kong-default.crt
2017/05/18 21:56:24 [verbose] Admin SSL enabled, no custom certificate set: using default certificate
2017/05/18 21:56:24 [verbose] admin SSL certificate found at /usr/local/kong/ssl/admin-kong-default.crt
2017/05/18 21:56:24 [verbose] running datastore migrations
2017/05/18 21:56:24 [verbose] could not start Kong, stopping services
2017/05/18 21:56:24 [verbose] leaving serf cluster
2017/05/18 21:56:24 [verbose] stopped services
Error: 
/usr/local/share/lua/5.1/kong/cmd/start.lua:34: /usr/local/share/lua/5.1/kong/dao/factory.lua:316: attempt to concatenate local 'err' (a nil value)
stack traceback:
	[C]: in function 'error'
	/usr/local/share/lua/5.1/kong/cmd/start.lua:34: in function 'cmd_exec'
	/usr/local/share/lua/5.1/kong/cmd/init.lua:88: in function </usr/local/share/lua/5.1/kong/cmd/init.lua:88>
	[C]: in function 'xpcall'
	/usr/local/share/lua/5.1/kong/cmd/init.lua:88: in function </usr/local/share/lua/5.1/kong/cmd/init.lua:45>
	/usr/local/bin/kong:5: in function 'file_gen'
	init_worker_by_lua:38: in function <init_worker_by_lua:36>
	[C]: in function 'pcall'
	init_worker_by_lua:45: in function <init_worker_by_lua:43>

KONG_CASSANDRA_SSL_VERIFY=on

2017/05/18 21:52:40 [verbose] prefix in use: /usr/local/kong
Error: 
/usr/local/share/lua/5.1/kong/cmd/start.lua:18: [cassandra error] all hosts tried for query failed. x.x.x.x: SSL handshake: certificate verify failed
stack traceback:
	[C]: in function 'assert'
	/usr/local/share/lua/5.1/kong/cmd/start.lua:18: in function 'cmd_exec'
	/usr/local/share/lua/5.1/kong/cmd/init.lua:88: in function </usr/local/share/lua/5.1/kong/cmd/init.lua:88>
	[C]: in function 'xpcall'
	/usr/local/share/lua/5.1/kong/cmd/init.lua:88: in function </usr/local/share/lua/5.1/kong/cmd/init.lua:45>
	/usr/local/bin/kong:5: in function 'file_gen'
	init_worker_by_lua:38: in function <init_worker_by_lua:36>
	[C]: in function 'pcall'
	init_worker_by_lua:45: in function <init_worker_by_lua:43>

[thibaultcha]

Did you apply both the lua-cassandra update and the patch in #2531?

[mrafieee]

luarocks install lua-cassandra upgrades the version to 1.2.2 and changed the lua-cassandra version number in /usr/local/lib/luarocks/rocks/kong/0.10.2-0/kong-0.10.2-0.rockspec

[thibaultcha]

You still need the patch in #2530, as said. Upgrading to lua-cassandra 1.2.2 won't be enough. You can retrieve this patch at this URL:

https://patch-diff.githubusercontent.com/raw/Mashape/kong/pull/2531.patch

Copy it, and apply it in your installation. Checkout the patch command: man patch. In your system, the Kong sources are probably located at /usr/local/share/lua/5.1/kong.