[GitHub] [apisix] tokers commented on issue #8568: bug: apisix 2.15.1 do not accept private CA (worked in apisix 2.13.0)

Tue, 27 Dec 2022 01:31:56 -0800 


tokers commented on issue #8568:
URL: https://github.com/apache/apisix/issues/8568#issuecomment-1365755256

   > hservca.pem
   
   That's a normal situation. I want to know after you configure the CA cert to 
APISIX, is it normal for APISIX to communicate with your keycloak server? From 
the error logs you pasted:
   
   > 2022/12/05 08:19:27 [warn] 49#49: *48972 [lua] plugin.lua:934: 
run_plugin(): openid-connect exits with http status code 500, client: 
127.0.0.6, server: _, request: "GET 
/*?state=809e5a967452528b8549511068b99cb1&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=63022b8e-9545-4441-8272-d429d4c8a819.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756
 HTTP/1.0", host: "apisix.h.net"
   2022/12/05 08:19:27 [alert] 49#49: *48972 ignoring stale global SSL error 
(SSL: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad 
decrypt), client: 127.0.0.6, server: _, request: "GET 
/*?state=809e5a967452528b8549511068b99cb1&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=63022b8e-9545-4441-8272-d429d4c8a819.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756
 HTTP/1.0", host: "apisix.h.net"
   2022/12/05 08:19:27 [alert] 47#47: *48973 ignoring stale global SSL error 
(SSL: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad 
decrypt), client: 127.0.0.6, server: _, request: "GET /favicon.ico HTTP/1.0", 
host: "apisix.h.net", referrer: 
"https://apisix.h.net/*?state=809e5a967452528b8549511068b99cb1&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=63022b8e-9545-4441-8272-d429d4c8a819.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756";
   2022/12/05 08:19:27 [error] 48#48: *48980 [lua] openidc.lua:1475: 
authenticate(): request to the redirect_uri path but there's no session state 
found, client: 127.0.0.6, server: _, request: "GET 
/*?state=f4130a202c1dc0ec165657fab774df10&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=055ab546-bf9a-42b9-b28d-f19a003a12f7.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756
 HTTP/1.0", host: "apisix.h.net"
   2022/12/05 08:19:27 [error] 48#48: *48980 [lua] openid-connect.lua:315: 
phase_func(): OIDC authentication failed: request to the redirect_uri path but 
there's no session state found, client: 127.0.0.6, server: _, request: "GET 
/*?state=f4130a202c1dc0ec165657fab774df10&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=055ab546-bf9a-42b9-b28d-f19a003a12f7.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756
 HTTP/1.0", host: "apisix.h.net"
   2022/12/05 08:19:27 [warn] 48#48: *48980 [lua] plugin.lua:934: run_plugin(): 
openid-connect exits with http status code 500, client: 127.0.0.6, server: _, 
request: "GET 
/*?state=f4130a202c1dc0ec165657fab774df10&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=055ab546-bf9a-42b9-b28d-f19a003a12f7.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756
 HTTP/1.0", host: "apisix.h.net"
   2022/12/05 08:19:27 [alert] 48#48: *48980 ignoring stale global SSL error 
(SSL: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad 
decrypt), client: 127.0.0.6, server: _, request: "GET 
/*?state=f4130a202c1dc0ec165657fab774df10&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=055ab546-bf9a-42b9-b28d-f19a003a12f7.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756
 HTTP/1.0", host: "apisix.h.net"
   127.0.0.6 - - [05/Dec/2022:08:19:27 +0000] apisix.h.net "GET 
/*?state=809e5a967452528b8549511068b99cb1&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=63022b8e-9545-4441-8272-d429d4c8a819.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756
 HTTP/1.0" 500 553 0.000 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) 
Gecko/20100101 Firefox/107.0" - - - "http://apisix.h.net";
   127.0.0.6 - - [05/Dec/2022:08:19:27 +0000] apisix.h.net "GET /favicon.ico 
HTTP/1.0" 302 217 0.000 
"https://apisix.h.net/*?state=809e5a967452528b8549511068b99cb1&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=63022b8e-9545-4441-8272-d429d4c8a819.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756";
 "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0" - - - 
"http://apisix.h.net";
   127.0.0.6 - - [05/Dec/2022:08:19:27 +0000] apisix.h.net "GET 
/*?state=f4130a202c1dc0ec165657fab774df10&session_state=29ba412f-4e64-4533-8ce0-0d23ad64fbcd&code=055ab546-bf9a-42b9-b28d-f19a003a12f7.29ba412f-4e64-4533-8ce0-0d23ad64fbcd.755e9ac7-b5a6-46d4-9660-fc6aa23d3756
 HTTP/1.0" 500 553 0.000 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:107.0) 
Gecko/20100101 Firefox/107.0" - - - "http://apisix.h.net";
   
   There is no direct evidence shows it's caused by an unknown CA.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to