bzp2010 opened a new issue, #10886:
URL: https://github.com/apache/apisix/issues/10886
### Current Behavior
The `ssl` object definition in the `apisix/schema_def.lua` file mentions
that it allows for input in the form of `sni`, `cert`, `key`, `snis`, `certs`,
`keys`, i.e. it allows for multiple SNIs to be configured for a single SSL
object, and support multiple certificate pairs.
In the following logic flow it is written:
```
["if"] = {
properties = {
type = {
enum = {"server"},
},
},
},
["then"] = {
oneOf = {
{required = {"sni", "key", "cert"}},
{required = {"snis", "key", "cert"}}
}
},
["else"] = {required = {"key", "cert"}},
```
This means that I can't pass schema check with `certs` and `keys` configured
anyway. So what is the point of certs and keys?
I think this is a significant bug. And it's been around for 20 months
[#7221].
----------
Further, even if I manually change it to `certs` and `keys`, it doesn't
configure properly and more bugs are happening.
Even if there are no bugs sent, there is a logical error in schema, why
snis, certs, keys must exist at the same time is absurd.
A possible option is to allow oneOf:
```
sni + cert + key
snis + cert + key
sni + certs + keys
snis + certs + keys
```
By the way, I don't think this has anything to do with the GM plugin, which
implements [#8389] after the bug.
### Expected Behavior
Allows multiple certificates to be properly configured on a single SSL
object via the APISIX Admin API.
### Error Logs
_No response_
### Steps to Reproduce
1. Use following cmd:
```
curl --location --request PUT '127.0.0.1:9181/apisix/admin/ssls/1' \
--header 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \
--header 'Content-Type: application/json' \
--data '{
"snis": [
"xxx.com"
],
"certs": [
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
],
"keys": [
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
],
"status": 1
}'
```
2. Receive response like:
```
{"error_msg":"invalid configuration: then clause did not match"}
```
### Environment
- APISIX version (run `apisix version`): 3.8.0
- Operating system (run `uname -a`): not related
- OpenResty / Nginx version (run `openresty -V` or `nginx -V`): not related
- etcd version, if relevant (run `curl
http://127.0.0.1:9090/v1/server_info`): not related
- APISIX Dashboard version, if relevant: not related
- Plugin runner version, for issues related to plugin runners: not related
- LuaRocks version, for installation issues (run `luarocks --version`): not
related
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
