liyin37 commented on issue #3037: URL: https://github.com/apache/apisix/issues/3037#issuecomment-746053486
@spacewander thanks,the ssl certificate is gisuni.dev  I use domain to curl it : curl "https://gisuni.dev:9443/apisix/admin/services/"; -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' the error.log is below: 2020/12/16 10:25:39 [error] 52#52: *22348 [lua] radixtree_sni.lua:219: match_and_set(): failed to find any SSL certificate by SNI: gisuni.dev, context: ssl_certificate_by_lua*, client: 192.168.198.124, server: 0.0.0.0:9443 2020/12/16 10:26:03 [error] 52#52: *25329 [lua] radixtree_sni.lua:219: match_and_set(): failed to find any SSL certificate by SNI: gisuni.dev, context: ssl_certificate_by_lua*, client: 192.168.198.124, server: 0.0.0.0:9443 2020/12/16 10:26:04 [error] 53#53: *25429 [lua] radixtree_sni.lua:219: match_and_set(): failed to find any SSL certificate by SNI: gisuni.dev, context: ssl_certificate_by_lua*, client: 192.168.198.124, server: 0.0.0.0:9443 I have comment out the # key_encrypt_salt: "edd1c9f0985e76a2" in config.yaml,the new config.yaml is : apisix: node_listen: 9080 # APISIX listening port enable_ipv6: false allow_admin: # http://nginx.org/en/docs/http/ngx_http_access_module.html#allow - 0.0.0.0/0 # We need to restrict ip access rules for security. 0.0.0.0/0 is for test. admin_key: - name: "admin" key: edd1c9f034335f136f87ad84b625c8f1 role: admin # admin: manage all configuration data # viewer: only can view configuration data - name: "viewer" key: 4054f7cf07e344346cd3f287985e76a2 role: viewer router: http: 'radixtree_uri' # radixtree_uri: match route by uri(base on radixtree) # radixtree_host_uri: match route by host + uri(base on radixtree) ssl: 'radixtree_sni' # radixtree_sni: match route by SNI(base on radixtree) ssl: enable: true # ssl is disabled by default # enable it to use your own cert and key enable_http2: true listen_port: 9443 # ssl_trusted_certificate: /usr/local/apisix/conf/cert/ca.pem # Specifies a file path with trusted CA certificates in the PEM format # used to verify the certificate when APISIX needs to do SSL/TLS handshaking # with external services (e.g. etcd) ssl_cert: /usr/local/apisix/conf/cert/server.pem ssl_cert_key: /usr/local/apisix/conf/cert/server.key ssl_protocols: "TLSv1.2 TLSv1.3" ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" ssl_session_tickets: false # disable ssl_session_tickets by default for 'ssl_session_tickets' would make Perfect Forward Secrecy useless. # ref: https://github.com/mozilla/server-side-tls/issues/135 # key_encrypt_salt: "edd1c9f0985e76a2" # If not set, will save origin ssl key into etcd. # If set this, must be a string of length 16. And it will encrypt ssl key with AES-128-CBC # !!! So do not change it after saving your ssl, it can't decrypt the ssl keys have be saved if you change !! etcd: host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster. - "http://0.0.0.0:2379"; # multiple etcd address prefix: "/apisix" # apisix configurations prefix timeout: 30 # 30 seconds the certificate is nginx file ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
