ZygfrydDeLowe opened a new issue, #10656: URL: https://github.com/apache/apisix/issues/10656
### Description Hi, I'm trying to set up mtls between etcd and apisix. I've been following the advice given in the docs: https://docs.api7.ai/apisix/production/security/mtls/configure-mtls-between-apisix-and-etcd https://apisix.apache.org/docs/apisix/mtls/#etcd-with-mtls and finally trying the information provided in the blogpost about setting up mtls: https://apisix.apache.org/blog/2023/03/23/mtls-everywhere/ I'm able to start etcd and perform a handshake using the following curl: `curl -ikv --resolve "ETCD:2379:127.0.0.1" "https://ETCD:2379/version"; \ --cert etcd_client.crt --key etcd_client.key` But when I'm starting the apisix, I'm getting the following error: > request etcd endpoint 'https://etcd:2379/version' error, certificate verify failed > all etcd nodes are unavailable > /usr/local/openresty//luajit/bin/luajit ./apisix/cli/apisix.lua init > /usr/local/openresty//luajit/bin/luajit ./apisix/cli/apisix.lua init_etcd > Warning! Request etcd endpoint 'https://etcd:2379/version' error, certificate verify failed, retry time=1 > Warning! Request etcd endpoint 'https://etcd:2379/version' error, certificate verify failed, retry time=2 > /usr/local/openresty//luajit/bin/luajit ./apisix/cli/apisix.lua init This is my etcd setup in the docker-compose file: ``` etcd: image: bitnami/etcd:3.5.9 restart: always env_file: - .env volumes: - ./api_config/apisix_conf/certs/etcd:/opt/bitnami/etcd/certs - etcd_data:/bitnami/etcd environment: ETCD_ENABLE_V2: "true" ALLOW_NONE_AUTHENTICATION: "yes" ETCD_ADVERTISE_CLIENT_URLS: "https://etcd:2379"; ETCD_LISTEN_CLIENT_URLS: "https://0.0.0.0:2379"; ETCD_CLIENT_CERT_AUTH: "true" ETCD_CERT_FILE: "/opt/bitnami/etcd/certs/etcd.crt" ETCD_KEY_FILE: "/opt/bitnami/etcd/certs/etcd.key" ETCD_TRUSTED_CA_FILE: "/opt/bitnami/etcd/certs/ca.crt" ports: - "2379:2379/tcp" networks: host: apisix: ``` This is the apisix setup from the docker-compose file: ``` apisix: image: apache/apisix:3.7.0-debian restart: always env_file: - .env volumes: - ./api_config/apisix_conf/certs/apisix:/usr/local/apisix/certs - ./apisix_log:/usr/local/apisix/logs - ./api_config/apisix_conf/config.yaml:/usr/local/apisix/conf/config.yaml:ro depends_on: - etcd healthcheck: test: curl --fail 'http://localhost:9091/apisix/prometheus/metrics' || exit 1 start_period: 20s # start_interval: 2s retries: 3 timeout: 2s ##network_mode: host ports: - "9080:9080/tcp" #routing port - "9091:9091/tcp" #prometheus port /apisix/prometheus/metrics - "9180:9180/tcp" #admin port - "9443:9443/tcp" - "9092:9092/tcp" #control port environment: AUTH: '{"participant":"participant-key", "bcgw":"bcgw-key"}' networks: - host - apisix - shared ``` And this is the apisix config.yaml: ``` apisix: node_listen: 9080 # APISIX listening port enable_ipv6: false enable_control: true control: ip: "0.0.0.0" port: 9092 allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow - 0.0.0.0/0 # We need to restrict ip access rules for security. 0.0.0.0/0 is for test. - ssl: enable: true ssl_trusted_certificate: /usr/local/apisix/certs/ca.crt # path of CA certificate used by the etcd server deployment: role: traditional role_traditional: config_provider: etcd admin: allow_admin: # https://nginx.org/en/docs/http/ngx_http_access_module.html#allow - 0.0.0.0/0 # We need to restrict ip access rules for security. 0.0.0.0/0 is for test. etcd: host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster. - "https://etcd:2379"; # multiple etcd address prefix: "/apisix" # apisix configurations prefix timeout: 30 # 30 seconds tls: cert: /usr/local/apisix/certs/client.crt # path of certificate used by the etcd client key: /usr/local/apisix/certs/client.key # path of key used by the etcd client verify: true ``` I've been using multiple approaches to create secrets, both with Vault PKI and using openssl in a manner described in the docs, but I'm still getting the same verification error - is there anything I'm missing in the config file? When creating the certificates does the common name must be identical to the etcd host specified in the yaml? Is the `prefix: "/apisix"` necessary for that configuration? ### Environment - APISIX version: apache/apisix:3.7.0-debian (but I've tried running it on 3.6 and 3.2 with similar result. - Operating system: Win 10 - etcd version: 3.5.9 (but I've tried 3.5.7 also) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
