deepzz0 commented on issue #5650: URL: https://github.com/apache/apisix/issues/5650#issuecomment-986382468
> If so, the TLS handshaking should succeed, @deepzz0 Could you try to capture some TLS handshaking packages? Now config:  Log: ``` 2021/12/06 02:24:14 [warn] 49#49: *14344 [lua] v3.lua:647: request_chunk(): https://192.168.252.154:2379: certificate host mismatch. Retrying, context: ngx.timer 2021/12/06 02:24:14 [warn] 49#49: *14357 [lua] v3.lua:647: request_chunk(): https://192.168.252.154:2379: certificate host mismatch. Retrying, context: ngx.timer 2021/12/06 02:24:14 [warn] 49#49: *14319 [lua] health_check.lua:90: report_failure(): update endpoint: https://192.168.252.154:2379 to unhealthy, context: ngx.timer 2021/12/06 02:24:14 [warn] 49#49: *14319 [lua] v3.lua:647: request_chunk(): https://192.168.252.154:2379: certificate host mismatch. Retrying, context: ngx.timer 2021/12/06 02:24:14 [warn] 49#49: *14319 [lua] v3.lua:647: request_chunk(): has no healthy etcd endpoint available. Retrying, context: ngx.timer 2021/12/06 02:24:14 [error] 49#49: *14319 [lua] config_etcd.lua:563: no healthy etcd endpoint available, next retry after 64s, context: ngx.timer 2021/12/06 02:24:14 [warn] 49#49: *14344 [lua] v3.lua:647: request_chunk(): https://192.168.252.154:2379: certificate host mismatch. Retrying, context: ngx.timer ``` OpenSSL Hanshak: ``` [root@k8s-master0 ~]# openssl s_client -host 192.168.252.154 -port 2379 -verify_ip 192.168.252.154 -CAfile /etc/kubernetes/ssl/ca.pem CONNECTED(00000003) depth=1 C = CN, ST = HangZhou, L = XS, O = k8s, OU = System, CN = kubernetes verify return:1 depth=0 C = CN, ST = HangZhou, L = XS, O = k8s, OU = System, CN = etcd verify return:1 140718298392464:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:s3_pkt.c:1493:SSL alert number 42 140718298392464:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: --- Certificate chain 0 s:/C=CN/ST=HangZhou/L=XS/O=k8s/OU=System/CN=etcd i:/C=CN/ST=HangZhou/L=XS/O=k8s/OU=System/CN=kubernetes --- Server certificate -----BEGIN CERTIFICATE----- MIID8DCCAtigAwIBAgIUBABLfsUNcRp+7uMwZCAArGw8aBowDQYJKoZIhvcNAQEL BQAwYTELMAkGA1UEBhMCQ04xETAPBgNVBAgTCEhhbmdaaG91MQswCQYDVQQHEwJY UzEMMAoGA1UEChMDazhzMQ8wDQYDVQQLEwZTeXN0ZW0xEzARBgNVBAMTCmt1YmVy bmV0ZXMwIBcNMjEwNDI3MDMxODAwWhgPMjA3MTA0MTUwMzE4MDBaMFsxCzAJBgNV BAYTAkNOMREwDwYDVQQIEwhIYW5nWmhvdTELMAkGA1UEBxMCWFMxDDAKBgNVBAoT A2s4czEPMA0GA1UECxMGU3lzdGVtMQ0wCwYDVQQDEwRldGNkMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0e5PUK0J7PNnvreEbg5ui9H1H+7NoJWAtSK8 wVp/+ESDoERur+VVA+6zRDtPuF4q/dEIYIsu2lvrDD7ROt8zXCixyPmHsr0ez9O+ AZ4iVJX47Y9USohQOWmuxaH1KuaNB5xKTt3ORHf2LTY+X8FTYaxziBMvGhhRi6VS KzcPFM8g4ABosFXptGhAhQSSl2IXYaBe6IdVHiD26KEYZBI/wr5i+ZSI3I9fQSIm Oa5pO/GjhwgKG3YYNoYPvEV0+DnZWqqt7bx9xyO+aAneEmMHYFZEgyJ7X+KFSTK5 ypAznfFkqyuHr3M4xLmixsy5WVYfAhJm/8JyeVzYG41A5r8puwIDAQABo4GjMIGg MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUv3bFYCUZyKwPkTK8fSws/qzcKtswHwYD VR0jBBgwFoAUu27ktPy6PVEypELIfgjAmEabUvYwIQYDVR0RBBowGIcEwKj8mocE wKj8q4cEwKj8vYcEfwAAATANBgkqhkiG9w0BAQsFAAOCAQEAMHv4GGyULdF7bs91 9kejDSFjI0a0od4Tk99UXAeovCVQq5yG5B/y00dbn+PKwpofRu+2UAhwnHpCVAWS zFplf8Wjma2NJ0+C8HiZCGm2qBJBZr5ZTTzP395XhA8iPur6oVdTu9YG4ucRvtHx zfK6q6VGF9MXSpC0DdYrKtFOxCI3NrC6VUYxsBPdpA2oJdL8bjdLNz5onjobzPum FblN7O3O8NBaFK03WzS0iko4taKewnAs+L3nYWPb/Xwl55BAqXNevaA1V427s3G0 AFqMCPo+BFl2i3B1YKSEsKUTovuHrqpS8QmTXHiWzV3lPCoEyHW/yuLbJ3m91d5a GQQWCA== -----END CERTIFICATE----- subject=/C=CN/ST=HangZhou/L=XS/O=k8s/OU=System/CN=etcd issuer=/C=CN/ST=HangZhou/L=XS/O=k8s/OU=System/CN=kubernetes --- Acceptable client certificate CA names /C=CN/ST=HangZhou/L=XS/O=k8s/OU=System/CN=kubernetes Client Certificate Types: RSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1 Shared Requested Signature Algorithms: RSA+SHA256:ECDSA+SHA256:RSA+SHA384:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1 Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1572 bytes and written 138 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: Session-ID-ctx: Master-Key: A3D512591F3CFFD01CA7DB451232941064E25C70A6191A54DBB4BD3D5AFE5B0E6E8E74747D4F665694FBECB39484A2B2 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1638757343 Timeout : 300 (sec) Verify return code: 0 (ok) --- ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
