anilaws opened a new issue, #1909: URL: https://github.com/apache/apisix-ingress-controller/issues/1909
### Description **Goal** : Have two routes, one should be protected using tls and one should be unprotected **Issue**: client certificate is being asked for every URI request - Deployed apisix on eks using helm - created ssl object using the curl mentioned in the document https://apisix.apache.org/docs/apisix/next/tutorials/client-to-apisix-mtls/ - when i check the ssl created using admin API, looks fine to me ``` { "value": { "validity_end": 1694303999, "client": { "ca": "-----BEGIN CERTIFICATE-----\nCA\n-----END CERTIFICATE-----", "depth": 20, "skip_mtls_uri_regex": [ "/anything.*" ] }, "status": 1, "id": "1", "cert": "-----BEGIN CERTIFICATE-----\nservercert-----\nEND CERTIFICATE-----", "type": "server", "key": "server cert key" "snis": [ "test.domain.com" ], "update_time": 1684429122, "create_time": 1684428603, "validity_start": 1660003200 }, "key": "/apisix/ssls/1", "modifiedIndex": 4331, "createdIndex": 4326 } ``` - if you notice the response above , key section doesnt have -----BEGIN RSA PRIVATE KEY----- in the beginning and -----END RSA PRIVATE KEY----- at the end. **- I have noticed that if i create ssl using admin API i have option to input CA CERT where as using dashboard i cant input CA cert** - If i input the certificate and private key using dashboard, i was able to see -----BEGIN RSA PRIVATE KEY----- in the beginning and -----END RSA PRIVATE KEY----- at the end of the key section of SSL object - curl -X GET -v https://test.domain.com/anything/foo/bar --cacert ca.crt gives me error 696397 SSL_do_handshake() failed (SSL: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate) while SSL handshaking - curl -X GET -v --cert clientcert --cert-type P12 https://test.domain.com/anything/foo/bar works ### Environment - APISIX version (run `apisix version`): 3.3.0 - Operating system (run `uname -a`): Linux apisix-67b9ff86c7-fnpsd 5.15.93-55.139.amzn2.x86_64 apache/apisix#1 SMP Tue Feb 14 21:47:11 UTC 2023 x86_64 GNU/Linux - OpenResty / Nginx version (run `openresty -V` or `nginx -V`): nginx version: openresty/1.21.4.1 built by gcc 10.2.1 20210110 (Debian 10.2.1-6 - etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`): etcd_version":"3.5.0 - APISIX Dashboard version, if relevant: 3.0.0 - Plugin runner version, for issues related to plugin runners: - LuaRocks version, for installation issues (run `luarocks --version`): -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
