Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

request help: build OpenResty for APISIX #4383

Closed
whioue opened this issue Jun 7, 2021 · 14 comments
Closed

request help: build OpenResty for APISIX #4383

whioue opened this issue Jun 7, 2021 · 14 comments
Labels
stale

Comments

@whioue
Copy link

whioue commented Jun 7, 2021

Issue description

When I execute build-apimix-openresty.sh, an error is reported, as shown in the figure below
image
I'm not sure if it's because of the low version of OpenSSL, I try to upgrade to OpenSSL 1.1.1k, or I will report the same error

Environment

centos7
It's already installed apisix 2.6 version
image

  • apisix version (cmd: apisix version):
  • OS (cmd: uname -a):
  • OpenResty / Nginx version (cmd: nginx -V or openresty -V):
  • etcd version, if have (cmd: run curl http://127.0.0.1:9090/v1/server_info to get the info from server-info API):
  • apisix-dashboard version, if have:
  • luarocks version, if the issue is about installation (cmd: luarocks --version):
@spacewander
Copy link
Member

You can use openresty-openssl111, see this PR: https://github.com/api7/apisix-build-tools/pull/40/files

@whioue
Copy link
Author

whioue commented Jun 7, 2021
edited by Yiyiyimu
Loading

You can use openresty-openssl111, see this PR: https://github.com/api7/apisix-build-tools/pull/40/files

When I finished the compilation by modifying build-apisix-openresty.sh, but when I started apisix, I reported an error. I don't know what caused it. The certificate I have configured and can get the result through the command line of etcdctl --endpoints="https://127.0.0.1:2379" --cacert="ca.pem" --key="client-key.pem" --cert="client.pem" get /apisix/plugins
image

@spacewander
Copy link
Member

Have you trusted ca.pem in the

apisix/conf/config-default.yaml

Line 116 in 27ee551

#ssl_trusted_certificate: /path/to/ca-cert # Specifies a file path with trusted CA certificates in the PEM format

@whioue
Copy link
Author

whioue commented Jun 8, 2021

Have you trusted ca.pem in the

apisix/conf/config-default.yaml

Line 116 in 27ee551

#ssl_trusted_certificate: /path/to/ca-cert # Specifies a file path with trusted CA certificates in the PEM format

I tried to add a CA certificate, but received this error message
image
My configuration is like this:
image
image
etcd configuration is:
image

@spacewander
Copy link
Member

Can you send us the

  • ca.pem
  • server.pem
  • server-key.pem
  • client.pem
  • client-key.pem

So we are able to reproduce it on our side?

@spacewander
Copy link
Member

BTW, what's your etcd version?

@whioue
Copy link
Author

whioue commented Jun 8, 2021

Can you send us the

  • ca.pem
  • server.pem
  • server-key.pem
  • client.pem
  • client-key.pem

So we are able to reproduce it on our side?

ok, thanks. The etcd version: 3.4.13
ca.pem
-----BEGIN CERTIFICATE-----
MIIDfjCCAmagAwIBAgIUUfd6wRB6JfFctEuVeM1EPOuUoeswDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB2JlaWppbmcxCzAJBgNVBAcTAkJK
MRcwFQYDVQQDEw5UT1BBR1cgRXRjZCBDQTAeFw0yMTA2MDExNTI5MDBaFw0yNjA1
MzExNTI5MDBaMEUxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdiZWlqaW5nMQswCQYD
VQQHEwJCSjEXMBUGA1UEAxMOVE9QQUdXIEV0Y2QgQ0EwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC4QH/JvU0UrVNnQD4eE18Dgc0WEg4s+sWjWQ0rNj5t
O58qVqNOH6ScsIVjvZDX9p7s0UJOQdnH9+z0phAH4CmEdxxTqrz+DLLS0kDW8Xud
UaQp3u1QQsi/Wc8cG6bzx5nyCafRwDaDfK88KAKFLmpd31qgBHaPNX0fVmu554z2
uyYaS7l71+eK3r7vJKgm+UaBfNPJVyOHSXHVDZJGFj4TVO0QZhtGES6rKNWz2OQ5
rRLIjimDR2aoaEVN+y5ovUPi3ACzSMQp0cBSTiHhmjVTuL55zl+be3PW5FMV2ZJM
EANI+yR3gscPozeB7eWaOpPnQ7QhhyiB6l/HwjVYclIXAgMBAAGjZjBkMA4GA1Ud
DwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1UdDgQWBBSiHT7oxEB6
88xkwS9mlYx819xmTDAfBgNVHSMEGDAWgBSiHT7oxEB688xkwS9mlYx819xmTDAN
BgkqhkiG9w0BAQsFAAOCAQEARcLkrULpAWalQZo/FI8Sjk/bRBoFHICN1ExQzXc8
SXEMWo1jsq6sz0NeV0oOq+LNZcEM1FfKWCSD7iZIe15nKGAwejNgOvZcYBow0b/+
q3sWj9Fc0kMLW/dp332CjSoxfaaZy2H/j7ON5NwQZFCw1l6OJGMplbXinOrlJeNe
CIME5fdakiOc9nL8e/bU9DRp7penDgxqkUkFRtBevIPwBA9G5jclh+7PAtP0xULw
6RxkC/fgIJIIWNsP+t3xCnt85Xs/MtspvMheaYoEKAJJ3sIafggQh6pd9iYtXLdm
FtKVW43ArdcNOzRccivi1C9HEoNAwfeA5Z7EiMMlVveREA==
-----END CERTIFICATE-----

server.pem
-----BEGIN CERTIFICATE-----
MIIDKzCCAhOgAwIBAgIUHMWqFRrTvBoImMdiS8j+PjyGgvEwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB2JlaWppbmcxCzAJBgNVBAcTAkJK
MRcwFQYDVQQDEw5UT1BBR1cgRXRjZCBDQTAgFw0yMTA2MDExNTMyMDBaGA8yMDUx
MDUyNTE1MzIwMFowgYAxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAw
DgYDVQQHEwdCZWlqaW5nMQ8wDQYDVQQKEwZUb3BzZWMxJDAiBgNVBAsTG0Nsb3Vk
IHNlY3VyaXR5IHByb2R1Y3QgbGluZTEWMBQGA1UEAxMNVE9QQUdXIHNlcnZlcjBZ
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABLcXD8nU75bF+ASBg6Id2+B4pIHSTgxM
OwF1qEQFMdswCoQPSGpxsNzluN18kbdMh2RKE76NiUDzfNl/8CTu7m2jgZ8wgZww
DgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQC
MAAwHQYDVR0OBBYEFIhZfimDE6MMesrnqebv4prPHM57MB8GA1UdIwQYMBaAFKId
PujEQHrzzGTBL2aVjHzX3GZMMCcGA1UdEQQgMB6CCmV0Y2RjbGllbnSCBGV0Y2SH
BH8AAAGHBAAAAAAwDQYJKoZIhvcNAQELBQADggEBAKeKKqpNAV7Na6bltPN51S18
s72wxeHaQpca8FQnLnmGupcGsBAfTrBDiMmk2PbH3p5/IE+y4Q5xBpczCw1JHCVq
DTiFYAu6bbGrvtVmDZX9WGCEdASpW0OwlBW5hrfxyZrAtDoIHerbs3hZUjkC71DU
/WNgRYzCyxYRC1IHPxTV5orUSW5FUnCTQB2vkcNiwV1rQFihqlHJ9CexAs1ZcBB4
StyHoT8BeKz3Xx6AGO7k5TeeXvO71ndq+ihe8goU2VCYrWK3nCui4D7NozWBblUq
JJqUQmS7iGzmB23UOwezlByIUu0stpkewSCOMKwLxK9VaO0wshiwanlkPFojorQ=
-----END CERTIFICATE-----

server-key.pem
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIGExqbJxomfuewqLIIwX+6FnJoTqz/UnBn0WZPTi8/FLoAoGCCqGSM49
AwEHoUQDQgAEtxcPydTvlsX4BIGDoh3b4HikgdJODEw7AXWoRAUx2zAKhA9IanGw
3OW43XyRt0yHZEoTvo2JQPN82X/wJO7ubQ==
-----END EC PRIVATE KEY-----

client.pem
-----BEGIN CERTIFICATE-----
MIIDDzCCAfegAwIBAgIUXPcEhRqwzUf/C8jWDADXy+kOGTswDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB2JlaWppbmcxCzAJBgNVBAcTAkJK
MRcwFQYDVQQDEw5UT1BBR1cgRXRjZCBDQTAgFw0yMTA2MDExNTMyMDBaGA8yMDUx
MDUyNTE1MzIwMFowgYAxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAw
DgYDVQQHEwdCZWlqaW5nMQ8wDQYDVQQKEwZUb3BzZWMxJDAiBgNVBAsTG0Nsb3Vk
IHNlY3VyaXR5IHByb2R1Y3QgbGluZTEWMBQGA1UEAxMNVE9QQUdXIGNsaWVudDBZ
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABATznSNl2KQnCqB3AuScEEsXndNYMhqz
DzJ6lsxU3RliCffWEH2qHnOLJHD3KrXg1X5AUAjFaf6749nE3z4xM9CjgYMwgYAw
DgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1UdEwEB/wQC
MAAwHQYDVR0OBBYEFLxEaEYbP6yX7u5jo2SoeYJ8v+a9MB8GA1UdIwQYMBaAFKId
PujEQHrzzGTBL2aVjHzX3GZMMAsGA1UdEQQEMAKCADANBgkqhkiG9w0BAQsFAAOC
AQEAJg4iNHdVpu0HHm5jO9ecYhx1EsAb+sWBnwm8R1ccF/041s9IT83QtbGabeaf
9c3hhkBdfmeP1X76wGt4XXah7QndZknXIDfXxZ4bbLxYdKIonGvsdXksqiFHiUh7
SuRF19KIQSiXUZwIrGB9hEuWEW4SitKAkPiQdUp95TgIyzIoMV20gONuKmU1FcbH
8e2tVu6FblDgI9otoJUWwuqWh5ACNNdAJcwzsoXhzBG09AqMJWMqBXGfMTp47r8d
zZXt8qN3LbKKpz06ECbERUETRCvPpgB064jW983fwXHu6PawQgcADcCgU4beCr7+
LpcEat5C7yxTR66fN1qIAZFPqw==
-----END CERTIFICATE-----

client-key.pem
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIMWK4VLgo7Ng/CwtingaMnQ0TfPLdY59Rud9nrXfz4L8oAoGCCqGSM49
AwEHoUQDQgAEBPOdI2XYpCcKoHcC5JwQSxed01gyGrMPMnqWzFTdGWIJ99YQfaoe
c4skcPcqteDVfkBQCMVp/rvj2cTfPjEz0A==
-----END EC PRIVATE KEY-----

The file compression package is as follows
etcd_pem.tar.gz

@whioue
Copy link
Author

whioue commented Jun 9, 2021

BTW, what's your etcd version?
my etcd version is 3.4.13

@spacewander
Copy link
Member

I found this in the etcd's error log:

2021-06-09 11:10:13.022735 I | embed: rejected connection from "127.0.0.1:50898" (error "tls: failed to verify client's certificate: x509: certificate specifies an incompatible key usage", ServerName "")
WARNING: 2021/06/09 11:10:13 grpc: addrConn.createTransport failed to connect to {127.0.0.1:12379 0 }. Err :connection error: desc = "transport: authentication handshake failed: remote error: tls: bad certificate". Reconnecting...

Maybe it relates to etcd-io/etcd#9785 and etcd-io/etcd#9398

@whioue
Copy link
Author

whioue commented Jun 9, 2021

I found this in the etcd's error log:

2021-06-09 11:10:13.022735 I | embed: rejected connection from "127.0.0.1:50898" (error "tls: failed to verify client's certificate: x509: certificate specifies an incompatible key usage", ServerName "")
WARNING: 2021/06/09 11:10:13 grpc: addrConn.createTransport failed to connect to {127.0.0.1:12379 0 }. Err :connection error: desc = "transport: authentication handshake failed: remote error: tls: bad certificate". Reconnecting...

Maybe it relates to etcd-io/etcd#9785 and etcd-io/etcd#9398

May be related to my certificate error, can you provide a certificate that can be used normally

@spacewander
Copy link
Member

spacewander commented Jun 9, 2021
edited
Loading

https://github.com/apache/apisix/tree/master/t/certs

You can try the /t/certs/mtls_* files.

@whioue
Copy link
Author

whioue commented Jun 9, 2021

https://github.com/apache/apisix/tree/master/t/certs

You can try the /t/certs/mtls_* files.

@whioue whioue closed this as completed Jun 9, 2021
@whioue whioue reopened this Jun 9, 2021
@github-actions
Copy link

This issue has been marked as stale due to 350 days of inactivity. It will be closed in 2 weeks if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the [email protected] list. Thank you for your contributions.

@github-actions github-actions bot added the stale label May 25, 2022
@github-actions
Copy link

github-actions bot commented Jun 9, 2022

This issue has been closed due to lack of activity. If you think that is incorrect, or the issue requires additional review, you can revive the issue at any time.

@github-actions github-actions bot closed this as completed Jun 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@spacewander @whioue