GuyT2002 opened a new issue, #10293: URL: https://github.com/apache/apisix/issues/10293
### Current Behavior I've uploaded a certificate via the admin api (as [explained here](https://apisix.apache.org/docs/apisix/certificate/) ) It's visible and seems correct in the dashboard:  Howvere, when I cURL the route for the same SNI, I don't recieve any TLS communication, but the following error: ``` [guy@localhost self-signed-certs]$ curl https://webserver.guy.ingress:443/ -v * Trying 20.82.226.230:443... * Connected to webserver.guy.ingress (20.82.226.230) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): * error:1408F10B:SSL routines:ssl3_get_record:wrong version number * Closing connection 0 curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number ``` ### Expected Behavior cURL just works with https, and replies normally. ### Error Logs This is the full error log of the cURL: ``` [guy@localhost self-signed-certs]$ curl https://webserver.guy.ingress:443/ -v * Trying 20.82.226.230:443... * Connected to webserver.guy.ingress (20.82.226.230) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): * error:1408F10B:SSL routines:ssl3_get_record:wrong version number * Closing connection 0 curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number ``` I can also see the following error in the `apisix` pod itself: ``` 10.131.0.1 - - [05/Oct/2023:09:05:34 +0000] - "\x16\x03\x01\x00{\x01\x00\x00w\x03\x03\xE5|\x96\x96\x97\x98\xAB\x9E\xFF\x8B\x88\x9D%9\x8A\xB6\xE2\xD4\xAF;\xE3\x89\xF0\x8F\xB9w\xC3J\xC2\xDC\x19\x81\x00\x00\x1A\xC0/\xC0+\xC0\x11\xC0\x07\xC0\x13\xC0\x09\xC0\x14\xC0" 400 229 0.600 "-" "-" - - - "://" ``` ### Steps to Reproduce 1. Run APISIX and dashboard with helm. (APISIX and Dashboard use LoadBalancer type service). 2. Create an SSL with the following API request: ``` curl --location --request PUT 'http://4.208.16.165:9180/apisix/admin/ssls/2' \ --header 'x-api-key: qwe123' \ --header 'Content-Type: application/json' \ --data-raw '{ "snis": ["guys.webserver.test","webserver.guy.ingress", "*.webserver.guy.ingress", "*.guy.ingress", "websocket.guy.ingress","*.websocket.guy.ingress"], "cert":"-----BEGIN CERTIFICATE----- MIIEWTCCA0GgAwIBAgIUZOWoIzOQpPhZAVjUOV3o7S0KofIwDQYJKoZIhvcNAQEL BQAwHjEcMBoGA1UEAwwTZ3V5cy53ZWJzZXJ2ZXIudGVzdDAeFw0yMzEwMDUwNzQ1 NTlaFw0zMzEwMDIwNzQ1NTlaMB4xHDAaBgNVBAMME2d1eXMud2Vic2VydmVyLnRl c3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCs0L1k0Usze+uibT9w SefykQe4UHIAjFyGU+9t+D0L23xW31dAZjKF5R8b9oTHNKhLCXqvcs+df1nSFwFd DuRA19QwiozWztU+mW0ap9j+F6la1ByCbbxP+EuGQYxux2HaevoP8+m28cweFv++ 4ghvUumCLOQnl2OoJA/tmWLiNQWS5ITGPxQPBU13WTu3q3v/PwaM+hMZtOCvX9nt zINTu4JM1VShz74f9kuCb6aLFRdQkuvlHgzj+dAhgKaTXP7Fj4dwXsaIUxgkUVmd CgW9q7xpp16hx0vILz2oC4h0a2PLziARrlDeOWnL7+oTP42htg5wdbqUbDD8dmqw tS9bAgMBAAGjggGNMIIBiTAdBgNVHQ4EFgQUczFo1xGNTJC9+mE0jfzKWDwQa8Qw WQYDVR0jBFIwUIAUczFo1xGNTJC9+mE0jfzKWDwQa8ShIqQgMB4xHDAaBgNVBAMM E2d1eXMud2Vic2VydmVyLnRlc3SCFGTlqCMzkKT4WQFY1Dld6O0tCqHyMAwGA1Ud EwQFMAMBAf8wCwYDVR0PBAQDAgL8MHgGA1UdEQRxMG+CFXdlYnNlcnZlci5ndXku aW5ncmVzc4IXKi53ZWJzZXJ2ZXIuZ3V5LmluZ3Jlc3OCDSouZ3V5LmluZ3Jlc3OC FXdlYnNvY2tldC5ndXkuaW5ncmVzc4IXKi53ZWJzb2NrZXQuZ3V5LmluZ3Jlc3Mw eAYDVR0SBHEwb4IVd2Vic2VydmVyLmd1eS5pbmdyZXNzghcqLndlYnNlcnZlci5n dXkuaW5ncmVzc4INKi5ndXkuaW5ncmVzc4IVd2Vic29ja2V0Lmd1eS5pbmdyZXNz ghcqLndlYnNvY2tldC5ndXkuaW5ncmVzczANBgkqhkiG9w0BAQsFAAOCAQEALkRZ 4M4RsSdu4Ui6Awc9RtXir/JkJUBau9ef6Y+nRh6ZxzBPNCTAcy5cOUioDd9UD940 Hq5NmHp6c4HHXTGduJT5VoqfP0eieHUFNYfG9dFI/RYIPvNTGBe/cPb8/xHWXIQq B7nPAl4saKJSYAt1SeaHZkDE4UMItVqVgQOn2mGcjq2S7niuJA8aG0r0VuuwFfw7 64LnPZI7rrRgZ/66jYdMBUkiyYV+C2EHnNIv4R9BTkIOQ38/AbJWLZXL0p4imRt9 /PPMAHGEmDe1b5/ndMGmm3Up6+vbsk6R3h1hJXlh71HMTwofNMdOKzeFEedQ8K3d bNharb2A1lmu10vOiA== -----END CERTIFICATE-----", "key":"-----BEGIN RSA PRIVATE KEY----- MIIEpgIBAAKCAQEArNC9ZNFLM3vrom0/cEnn8pEHuFByAIxchlPvbfg9C9t8Vt9X QGYyheUfG/aExzSoSwl6r3LPnX9Z0hcBXQ7kQNfUMIqM1s7VPpltGqfY/hepWtQc gm28T/hLhkGMbsdh2nr6D/PptvHMHhb/vuIIb1LpgizkJ5djqCQP7Zli4jUFkuSE xj8UDwVNd1k7t6t7/z8GjPoTGbTgr1/Z7cyDU7uCTNVUoc++H/ZLgm+mixUXUJLr 5R4M4/nQIYCmk1z+xY+HcF7GiFMYJFFZnQoFvau8aadeocdLyC89qAuIdGtjy84g Ea5Q3jlpy+/qEz+NobYOcHW6lGww/HZqsLUvWwIDAQABAoIBAQCp21V8JVaT2OYm tNhYpturCC+dUrxqm4tJoHBCF27xG58fx897hbd88VHdazTgk3oinsOOdPtpY0XG gEQf0kY5EaoGt/dsHslsCOM7AuT+AgW8N6V58R/ZPkQFRqIgNCqS0rK8QVJjNVAZ 9yMR3BrMSKMpBrSN0XfrSN66+zs896DzQ4ITYQexVRlhdzFIIH0Za394sy2lvGM3 NbguMkqFyDQEBDMtR2uu36bvyF1pi8UtIe1mVeg9kySL3JIBKDopSCW/FyfHMYgb dLIzWqJXfhMLhRAWsxWaVyAitDnLfROYwypba77R0mvVnQrii1EVxO6C0AMbPwxl 65Z3n/mxAoGBANNaXpA5qHfSC4hHtuHXl3u89Ys1k/WyKoSi0B5+RwQV6w+hugDs Dz4xIzcK1seKuKpqjkRwL4x6i03uNRZbIMC9b3xkYWp8DTdiLQ1gUt0ULhtb0PeZ /lB3RaxH97LTxxFPnH4Mmpw53Tq5Ennk+bx9ZeLs9KugEuGHoGdpoBpjAoGBANFS UXNLtmt1AVOPg6CXaw9BCm1W4znocMQGQzb7m3KkkrFzz/uXaQn9EBfT4KgmQjFO KZaoGkR7hlp+a2jN6W4WCqxxfe0pXPN+MPH2XD7dl1ssPWyLKhtQm4EQ1HSZCy3M tnSEPGuwVmQMzwqkDVxLkQpLS2YQiZc6JQXeNmypAoGBALADm6s7CW04NTh6mPi+ Zj67oDYeGanNhhFN0ksC2Tuy0T8EbfZkoVEm9O/bDAHEKoRqFy8xyreQOsFc90M2 AzHg0Z7jrilTRGJyVZjFNl09eCR6s63wxlXW7uRKTyPTsP5esbJb5sriebZ0+Mkh A0aRnC9/LUhdGDxQiip1UcuHAoGBAJ+eDRxFVPK2Q2+r1WzFak80grYD9rv2wt7I A8NOtCgE1RPaQ3QP7no+bmItIHg4zGr6tn367CTiqP4ivtcpheJ7jmIXHTaXPxky VjJ8cbVClqNgpeo6aL5xhlMyOUA8YCjpnQxWthhMXGRo3Ay6MrH5sb1O000eOT2H iiniXFAZAoGBAI7/bP0SPx3iwr56unoh/3VKUlrLPkAj34rDGhyy3ERiFjoOi6b/ vK8Kf7I2yHE0GVtewK2AxBMw/Bwi8pm98db0U9LFFI3zePtXk7jLjZxMB9yPcun2 apahFpk7oi6IQKQ8nbDb747vNO8trSL+/ZTuUY5XFb6f1PJ7p351mAPb -----END RSA PRIVATE KEY-----", "validity_end":2011852553, "client":{"ca":"-----BEGIN CERTIFICATE----- MIICqzCCAZMCFAWB356nZUXUokmnqdJGxxZlzr8XMA0GCSqGSIb3DQEBCwUAMBEx DzANBgNVBAMMBlJPT1RDQTAgFw0yMzEwMDUwNzAxNDRaGA8yMTIzMDkxMTA3MDE0 NFowETEPMA0GA1UEAwwGUk9PVENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEAw+A26sojmerD2EdjjCUYGl18RYgaMujGOWFWILjcExuW7OrVDNmVVVci mYOIpTv6HAy65z8Cjr/P53jPLMBBoSSlqETRc6WbKGZ47Ahvg38zRCb/vhUkEEqH rgCxpTFSRMh53z5IhulxWM4rGGFas6tMONjxQWaj/5Y1otKpcDW7gf/mZ6mYu075 io8+W+QW7oCabJnHtU7ELDOCT5p33kuJwXQHdV+RC9vFm0ijZ4QjnuVgLgUBxIR1 TojwJlTdfgfiBbcWPC1kRaZTv2555hOPGZdFHujih/YM6p51Oy/WeVQzy+sKY00n CYYYgpKKN44acX2Nkb4e37NJVb1WvwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAQ ANqgkwogNecU9bo0U+HjhxUxKXE05e+2Cghhf9SZSFSWP1KuDVM1ooImSRpPMAvZ e08Vy8qbYjDfcii5nozLGi8k84jdcM2Ymu/jsLK/BeL/YVCWFDXHOqMNDlK+pIGi k4Ejo8RAWnL6l4Bx+TMep6MOlbKXmC7l9dUu2iWnRgDhpYTHzMLCl0TTeorFs+W1 Z9ERa9vxyEv4kvmPqBYSWQXpDR65jBl47rvyWtENdDsyxjqAXnINxENt6GLx3ouc q2iYCOxB4T7w77j8z01G7rDX5GbJ7awDG7bIBjl70CeZdj+EqqYs3nZeBSR0xCP/ v2aKa2Na2cdcN7OOpJhy -----END CERTIFICATE-----"} }' ``` 3. Create an upstream and route via the dashboard, using this hostname. 4. cURL the hostname (via redirecting) and receive SSL error. ### Environment - APISIX version (run `apisix version`): `3.5.0` - Operating system (run `uname -a`): `Linux apisix-75ff945bb6-v7mpv 4.18.0-305.95.1.el8_4.x86_64 #1 SMP Thu Jun 22 09:13:05 EDT 2023 x86_64 GNU/Linux` (Using openshift 4.10.6) - OpenResty / Nginx version (run `openresty -V` or `nginx -V`): `nginx version: openresty/1.21.4.2` - etcd version, if relevant (run `curl http://127.0.0.1:9090/v1/server_info`): irrelevant - APISIX Dashboard version, if relevant: `3.0.0` - Plugin runner version, for issues related to plugin runners: not sure this is relevant - LuaRocks version, for installation issues (run `luarocks --version`): irrelevant -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
