MirtoBusico commented on issue #235:
URL:
https://github.com/apache/apisix-helm-chart/issues/235#issuecomment-1049995055
Hi @tokers you are right
As I said in previos comments I created my own CA and signed my certificates
with this CA.
My working configuration is obtained doing:
I create a sectre with my ownn CA certificate
```
sysop@m01serv:~/m01certs$ cd ~/m01certs
sysop@m01serv:~/m01certs$ ls -lh m01ca.*
-rw-r--r-- 1 root root 1,7K gen 17 18:43 m01ca.key
-rw-r--r-- 1 root root 1,5K gen 17 18:46 m01ca.pem
-rw-r--r-- 1 root root 41 feb 11 14:01 m01ca.srl
sysop@m01serv:~/m01certs$ kubectl -n apisix create secret generic m01cacert
--from-file=cert=./m01ca.pem
secret/m01cacert created
sysop@m01serv:~/m01certs$ kubectl describe secret m01cacert -n apisix
Name: m01cacert
Namespace: apisix
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
cert: 1464 bytes
sysop@m01serv:~/m01certs$
```
Then I put these lines in apisix chart values.yaml
```
tls:
enabled: true
servicePort: 443
containerPort: 9443
existingCASecret: "m01cacert"
certCAFilename: "cert"
http2:
enabled: true
```
and installed apisix with
```
kubectl create ns apisix
kubectl label namespace apisix istio-injection=enabled
helm install apisix apisix/apisix -f apisix-values.yaml \
--set ingress-controller.config.apisix.serviceNamespace=apisix \
--set ingress-controller.config.apisix.serviceName=apisix-admin \
--namespace apisix
```
Strangely the curl command issued from the apisix pod still fails with the
previous error but the apisix openid-connect plugin that accesses the url used
in the curl command works correctly
I don't know is this is the correct behaviour
The curl command and his error
```
bash-5.1# curl -v
https://k6k.m01.net/auth/realms/apisix_test_realm/.well-known/openid-configuration
* Trying 192.168.102.120:443...
* Connected to k6k.m01.net (192.168.102.120) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
bash-5.1#
```
The working apisix openid-connect plugin used in a route
```
{
"client_id":"apisix",
"client_secret":"CFejdjaiPNgGXMQub467j10OzcuK43tB",
"discovery":"https://k6k.m01.net/auth/realms/apisix_test_realm/.well-known/openid-configuration";,
"scope":"openid profile",
"bearer_only":false,
"realm":"apisix_test_realm",
"introspection_endpoint_auth_method":"client_secret_post",
"redirect_uri":"https://www.m01.net/*";,
"access_token_in_authorization_header":true,
"logout_path":"/logout"
}
```
Also I don't understand why the same url is refused if issued from the
apisix pod and is accepted if used in the openid-connect plugin
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
