[GitHub] [apisix] foreveryang321 commented on issue #5125: 同时配置 etcd tls 和 stream_proxy，etcd 连接不上问题

[GitBox]

foreveryang321 commented on issue #5125:
URL: https://github.com/apache/apisix/issues/5125#issuecomment-926260631


   > @foreveryang321 There should have some other logs which are related to the 
SSL handshaking, you may try to check them out, also, be sure you're using the 
APISIX OpenResty since the mTLS support relies on it.
   
   
   > nginx/openresty版本
   
   
根据[https://github.com/api7/apisix-build-tools/blob/master/build-apisix-openresty.sh](https://github.com/api7/apisix-build-tools/blob/master/build-apisix-openresty.sh)构建
   ```txt
   nginx version: openresty/1.19.3.2
   built by gcc 10.2.1 20201203 (Alpine 10.2.1_pre1) 
   built with OpenSSL 1.1.1l  24 Aug 2021
   TLS SNI support enabled
   configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 
-DAPISIX_OPENRESTY_VER=0.0.0' --add-module=../ngx_devel_kit-0.3.1 
--add-module=../echo-nginx-module-0.62 --add-module=../xss-nginx-module-0.06 
--add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.32 
--add-module=../form-input-nginx-module-0.12 
--add-module=../encrypted-session-nginx-module-0.08 
--add-module=../srcache-nginx-module-0.32 --add-module=../ngx_lua-0.10.19 
--add-module=../ngx_lua_upstream-0.07 
--add-module=../headers-more-nginx-module-0.33 
--add-module=../array-var-nginx-module-0.05 
--add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 
--add-module=../redis-nginx-module-0.3.7 --add-module=../ngx_stream_lua-0.0.9 
--with-ld-opt=-Wl,-rpath,/usr/local/openresty/luajit/lib 
--add-module=/tmp/tmp.MlGEBG/openresty-1.19.3.2/../mod_dubbo 
--add-module=/tmp/tmp.MlGEBG/openresty-1.19.3.2/../ngx_multi_upstream_module 
--add-module=/tmp/tmp.MlGEBG/openresty-1.19.3.2/
 ../apisix-nginx-module 
--add-module=/tmp/tmp.MlGEBG/openresty-1.19.3.2/../lua-var-nginx-module 
--with-poll_module --with-pcre-jit --with-stream --with-stream_ssl_module 
--with-stream_ssl_preread_module --with-http_v2_module 
--without-mail_pop3_module --without-mail_imap_module 
--without-mail_smtp_module --with-http_stub_status_module 
--with-http_realip_module --with-http_addition_module 
--with-http_auth_request_module --with-http_secure_link_module 
--with-http_random_index_module --with-http_gzip_static_module 
--with-http_sub_module --with-http_dav_module --with-http_flv_module 
--with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat 
--with-stream --with-http_ssl_module
   ```
   
   > 日志
   ```txt
   2021/09/23 16:38:37 [warn] 46#46: *972324 stream [lua] v3.lua:631: 
request_chunk(): https://192.168.11.1:2379: 20: unable to get local issuer 
certificate. Retrying, context: ngx.timer
   2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: 
request_chunk(): https://192.168.11.1:2379: 20: unable to get local issuer 
certificate. Retrying, context: ngx.timer
   2021/09/23 16:38:37 [warn] 46#46: *972324 stream [lua] health_check.lua:63: 
report_failure(): update endpoint: https://192.168.11.1:2379 to unhealthy, 
context: ngx.timer
   2021/09/23 16:38:37 [warn] 46#46: *972324 stream [lua] v3.lua:631: 
request_chunk(): https://192.168.11.1:2379: 20: unable to get local issuer 
certificate. Retrying, context: ngx.timer
   2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: 
request_chunk(): https://192.168.11.1:2379: 20: unable to get local issuer 
certificate. Retrying, context: ngx.timer
   2021/09/23 16:38:37 [warn] 46#46: *972324 stream [lua] v3.lua:631: 
request_chunk(): https://192.168.11.2:2379: 20: unable to get local issuer 
certificate. Retrying, context: ngx.timer
   2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: 
request_chunk(): https://192.168.11.2:2379: 20: unable to get local issuer 
certificate. Retrying, context: ngx.timer
   2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] health_check.lua:63: 
report_failure(): update endpoint: https://192.168.11.2:2379 to unhealthy, 
context: ngx.timer
   2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: 
request_chunk(): https://192.168.11.2:2379: 20: unable to get local issuer 
certificate. Retrying, context: ngx.timer
   2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: 
request_chunk(): https://192.168.11.3:2379: 20: unable to get local issuer 
certificate. Retrying, context: ngx.timer
   2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: 
request_chunk(): https://192.168.11.3:2379: 20: unable to get local issuer 
certificate. Retrying, context: ngx.timer
   2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] health_check.lua:63: 
report_failure(): update endpoint: https://192.168.11.3:2379 to unhealthy, 
context: ngx.timer
   2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: 
request_chunk(): https://192.168.11.3:2379: 20: unable to get local issuer 
certificate. Retrying, context: ngx.timer
   2021/09/23 16:38:37 [warn] 49#49: *964289 stream [lua] v3.lua:631: 
request_chunk(): has no healthy etcd endpoint available. Retrying, context: 
ngx.timer
   2021/09/23 16:38:37 [error] 49#49: *964289 stream [lua] config_etcd.lua:563: 
no healthy etcd endpoint available, next retry after 2s, context: ngx.timer
   2021/09/23 16:38:37 [error] 43#43: *960186 stream [lua] config_etcd.lua:563: 
no healthy etcd endpoint available, next retry after 32s, context: ngx.timer
   2021/09/23 16:38:38 [error] 45#45: *962215 stream [lua] config_etcd.lua:563: 
no healthy etcd endpoint available, next retry after 32s, context: ngx.timer
   2021/09/23 16:38:39 [error] 46#46: *970612 stream [lua] config_etcd.lua:563: 
no healthy etcd endpoint available, next retry after 32s, context: ngx.timer
   ```
   
   如果把 stream_proxy 部分配置注释掉就可以正常连接上etcd
   ```yaml
   apisix:
     id: "yl-mac"
     node_listen: 9080
     enable_ipv6: false
   
     allow_admin:                  # 
http://nginx.org/en/docs/http/ngx_http_access_module.html#allow
       - 0.0.0.0/0
     admin_key:
       - name: "admin"
         key: edd1c9f034335f136f87ad84b625c8f1
         role: admin
       - name: "viewer"
         key: 4054f7cf07e344346cd3f287985e76a2
         role: viewer
   
     ssl:
       ssl_trusted_certificate: /usr/local/apisix/ssl/etcd-ca.pem
   
     # stream_proxy:
     #   only: false
     #   tcp:
     #     - addr: 9200
     #       tls: true
   
   etcd:
     host:
       # - "http://etcd:2379";
       - "https://192.168.11.1:2379";
       - "https://192.168.11.2:2379";
       - "https://192.168.11.3:2379";
     prefix: "/apisix"
     timeout: 30
     tls:
       cert: /usr/local/apisix/ssl/etcd.pem
       key: /usr/local/apisix/ssl/etcd-key.pem
       verify: true
   ```
   
   > docker-compose.yml
   
   ```yaml
   version: "3.8"
   
   services:
     apisix:
       image: apache/apisix:2.9-alpine
       container_name: apisix
       hostname: apisix
       ports:
         - "9080:9080"
         - "9443:9443"
         - "9200:9200"
       volumes:
         - ./conf/config.yaml/:/usr/local/apisix/conf/config.yaml
         - ./ssl:/usr/local/apisix/ssl
         - ./logs:/usr/local/apisix/logs
       environment:
         - "TZ=Asia/Shanghai"
       restart: always
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org