Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding the Cassandra SSL certificate to lua_ssl_trusted_certificate #915

Closed
subnetmarco opened this issue Jan 29, 2016 · 5 comments
Closed
Assignees
Labels

Comments

@subnetmarco
Copy link
Member

Reimplement this directive https://github.com/Mashape/kong/blob/0.5.4/kong/cli/utils/signal.lua#L106

@subnetmarco
Copy link
Member Author

This has been implemented with #921.

@mars
Copy link
Contributor

mars commented Feb 3, 2016

I'm using kong/master at 282481b (which includes this commit) and cannot connect to Cassandra via SSL.

The same error as we experienced together at the meetup is occurring now:

2016/02/03 22:34:17 [error] 73#0: [lua] cluster.lua:84: Cassandra error: NoHostAvailableError: All hosts tried for query failed. 10.1.13.186:9042: SocketError: 18: self signed certificate for socket with peer 10.1.13.186:9042. 10.1.16.105: SocketError: 18: self signed certificate for socket with peer 10.1.16.105. 10.1.60.153: SocketError: 18: self signed certificate for socket with peer 10.1.60.153., context: ngx.timer

I do have the template value in the Nginx config:

nginx: |
  …
  http {
    …
    {{lua_ssl_trusted_certificate}}

I see in the rendered nginx.conf that the value is inserted:

http {
  …
  lua_ssl_trusted_certificate "/app/config/cassandra.cert";

It references a valid certificate file (used successfully with Kong 0.5.4):

~ $ cat /app/config/cassandra.cert
-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----

Our fix of manually inserting the certificate path into the Nginx config as lua_ssl_trusted_certificate '/app/config/cassandra.cert'; no longer works, either.

Kong 0.5.4 can still connect to this Cassandra cluster via SSL using the same certificate, so I'm pretty certain it's not a higher-level Cassandra connection problem.

@thibaultcha
Copy link
Member

Using the current master I have no problem connecting Kong to my local Cassandra cluster with SSL and certificate verification enabled:

  ssl:
    enabled: true
    verify: true
    certificate_authority: "/path/to/cassandra.pem"

Would you mind giving it a try?

@mars
Copy link
Contributor

mars commented Feb 4, 2016

Yes! Using kong/master at df123de now allows Cassandra SSL certficates to be verified!

🎆 🍸

@thibaultcha
Copy link
Member

Very good!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants