MirtoBusico opened a new issue #235: URL: https://github.com/apache/apisix-helm-chart/issues/235
Hi all, I'm trying to setup the **authz-keycloak** plugin. My keycloak server replays at **https://k6k.m01.net** and it have key and certificate signed by my pricate Certification Authority. Trying to access the keycloak server from apisix pod I receve a "unable to get local issuer certificate" error ``` bash-5.1# curl -v https://k6k.m01.net * Trying 192.168.102.120:443... * Connected to k6k.m01.net (192.168.102.120) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt * CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.3 (OUT), TLS alert, unknown CA (560): * SSL certificate problem: unable to get local issuer certificate * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above. bash-5.1# ``` If I understand correctly, I have to setup the CA certificate in the tsl section of gateway ``` tls: enabled: true servicePort: 443 containerPort: 9443 existingCASecret: "" certCAFilename: "" http2: enabled: true ``` Questions: 1) the certificate have to be inserted in **existingCASecret** or in **certCAFilename**? (in the last case where the file must reside respect the helm chart?) 2) the existingCASecret string requires a particular formatting? Is the example below valid? ``` tls: enabled: true servicePort: 443 containerPort: 9443 existingCASecret: "" certCAFilename: "-----BEGIN CERTIFICATE----- MIIEDTCCAvWgAwIBAgIUfUAyqeAGoxCGB6V/5qxOS/ZczrEwDQYJKoZIhvcNAQEL BQAwgZUxCzAJBgNVBAYTAklUMQ4wDAYDVQQIDAVJdGFseTENMAsGA1UEBwwEUm9t ZTEVMBMGA1UECgwMQnVzaWNvIE1pcnRvMRMwEQYDVQQLDApMYWJvcmF0b3J5MRUw EwYDVQQDDAxCdXNpY28gTWlydG8xJDAiBgkqhkiG9w0BCQEWFW1pcnRvYnVzaWNv QGdtYWlsLmNvbTAeFw0yMjAxMTcxNzQ2MDZaFw0zMjAxMTUxNzQ2MDZaMIGVMQsw CQYDVQQGEwJJVDEOMAwGA1UECAwFSXRhbHkxDTALBgNVBAcMBFJvbWUxFTATBgNV BAoMDEJ1c2ljbyBNaXJ0bzETMBEGA1UECwwKTGFib3JhdG9yeTEVMBMGA1UEAwwM QnVzaWNvIE1pcnRvMSQwIgYJKoZIhvcNAQkBFhVtaXJ0b2J1c2ljb0BnbWFpbC5j b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC7T89OolDaC7YprD0l 3q20y0cchShqovk8Nzo12prDX8CCGxv6zexaHYVKk6qFfSGJJcgHcuxLIHvnflVH Ugx9/LWOxaVz6N0i7z8hjnzxyMb2CXaTOpsbp0CdLeoEHjoZlESzAg6blIL4szPn O2VpWfA10qTGWLC0z/QvcPENOVw3NLBZNJWbCl+WmcsCi+ttyzmSdMDS2ANnk6z0 mTqnFVtiCiRYQCXq0A5dr//Jva2q/h0sGoKHSV9Yt/StMB79uRVCGSpiCJAhalh1 8Zs+O9CPnkk+E2jnKn4jgI8FAY0Cii61nn15+/6BrHMu9h6/SO4oKj8i9UXPyodf NW+3AgMBAAGjUzBRMB0GA1UdDgQWBBSCmgdUoJ6HXR5wMoX47koWO5HNnzAfBgNV HSMEGDAWgBSCmgdUoJ6HXR5wMoX47koWO5HNnzAPBgNVHRMBAf8EBTADAQH/MA0G CSqGSIb3DQEBCwUAA4IBAQBgZsZV87/e/8YauGLLGAen857V+NNvl1fMNPAF58O/ NG+iepahWxBJ5miEyMA6BH8ARUa1Q1fah8HC+/Q1dXEj17+h6d4QFS6PWBKp0a2N MSnq0L4FYMnrUrhYxxyt4buNXDuYvaDit7lchKeHBJLBu/NBXH8WhMo/9g0Fg7YD NRv6xg7wvYJf7YIc3RIg5bjklXKpdcvCZjuF8KVqv70x4eQx2m2zcf4CibvZKDFG g/HY3btrW7fvhz9Ytj5w+SoCVLe3OKR0+koIyoGqsmiej9U4dbPTqVdsl3+XyfUF oTpClYSDqa/kfmlT1o9FXpScRTQMOuHBiMYvEFiDBUGY -----END CERTIFICATE-----" http2: enabled: true ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
