[GitHub] [apisix] tzssangglass opened a new issue #4773: request help: etcd mtls handshake failed in ngx.timer

Fri, 06 Aug 2021 23:05:55 -0700 


tzssangglass opened a new issue #4773:
URL: https://github.com/apache/apisix/issues/4773


   ### Issue description
   
   I used the below test case and wanted to test the 
   
   - mtls connection between apisix and etcd
   - apisix watch etcd in ngx.timer
   
   ```
   use t::APISIX;
   
   my $out = eval { `resty -e "local s=ngx.socket.tcp();print(s.tlshandshake)"` 
};
   
   if ($out !~ m/function:/) {
       plan(skip_all => "tlshandshake not patched");
   } else {
       plan('no_plan');
   }
   
   
   add_block_preprocessor(sub {
       my ($block) = @_;
   
       if (!$block->no_error_log && !$block->error_log) {
           $block->set_value("no_error_log", "[error]\n[alert]");
       }
   });
   
   run_tests;
   
   __DATA__
   
   === TEST 1: etcd mtls handshake in ngx.timer
   --- yaml_config
   apisix:
     ssl:
       ssl_trusted_certificate: t/certs/mtls_ca.crt
   etcd:
     host:
       - "https://127.0.0.1:22379";
     prefix: "/apisix"
     timeout: 3
     tls:
       cert: t/certs/mtls_client.crt
       key: t/certs/mtls_client.key
   --- config
       location /t {
           content_by_lua_block {
               ngx.exit(200)
           }
       }
   --- request
   GET /t
   --- wait: 5
   --- timeout: 8
   --- no_error_log
   [error]
   --- error_log eval
   qr/cancel watch connection success/
   
   ```
   
   bug I get error as
   
   ```
   unable to get local issuer certificate. Retrying, context: ngx.timer
   ```
   
   Then I added 
   
   ```
       lua_ssl_trusted_certificate /usr/local/apisix/t/certs/mtls_ca.crt;
       lua_ssl_verify_depth 5;
   ```
   
   to `APISIX.pm` under the `http` block, than it works well.
   
   I think `APISIX.pm` is missing the `lua_ssl_trusted_certificate` and 
`lua_ssl_verify_depth` settings.
   
   ### Environment
   
   Request help without environment information will be ignored or closed.
   
   * apisix version (cmd: `apisix version`): master
   * OS (cmd: `uname -a`): 5.12.8-200.fc33.aarch64
   * OpenResty / Nginx version (cmd: `nginx -V` or `openresty -V`):
   
   ```
   nginx version: openresty/1.19.3.2
   built by gcc 10.3.1 20210422 (Red Hat 10.3.1-1) (GCC) 
   built with OpenSSL 1.1.1k  25 Mar 2021
   TLS SNI support enabled
   ……
   ```
   
   * etcd version, if have (cmd: run `curl 
http://127.0.0.1:9090/v1/server_info` to get the info from server-info API):
   * apisix-dashboard version, if have:
   * luarocks version, if the issue is about installation (cmd: `luarocks 
--version`):
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to