spacewander commented on issue #5155: URL: https://github.com/apache/apisix/issues/5155#issuecomment-929948164
We upgrade lua-resty-http in 2.10.0. Previously, it doesn't send SNI and verify the common name part in the certificate: https://github.com/ledgetech/lua-resty-http/issues/236 This behavior is a bug and is fixed in the latest lua-resty-http. You need to use `openssl x509 -text -noout -in your_domain_cert` and change the host in the etcd URI to the common name. For example, assume: ``` $ openssl x509 -text -noout -in t/certs/etcd.pem Certificate: Data: Version: 3 (0x2) Serial Number: 8d:cc:7a:ef:e0:25:54:cb Signature Algorithm: sha256WithRSAEncryption Issuer: C = CN, ST = Zhejiang, L = Hangzhou, O = test, OU = test, CN = blahblah Validity Not Before: Oct 28 03:33:02 2020 GMT Not After : Oct 28 03:33:02 2021 GMT Subject: C = CN, ST = Zhejiang, L = Hangzhou, O = test, OU = test, CN = etcd.cluster.local ``` You need to change: ``` etcd: host: - "https://192.168.27.11:2379"; ``` to ``` etcd: host: - "https://etcd.cluster.local:2379"; ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
