[GitHub] [apisix] whioue commented on issue #6418: bug: apisix failed to verify the validity of the server certificate
whioue commented on issue #6418: URL: https://github.com/apache/apisix/issues/6418#issuecomment-1370687574 > > 我了解,但这样的话只能配置一个ca证书,如果有多个上游,并且多个上游使用不同的ca证书进行签发,这里只能满足配置一个。 > > We can use this way: https://github.com/apache/apisix/blob/master/docs/zh/latest/certificate.md#%E8%AE%BE%E7%BD%AE%E5%A4%9A%E4%B8%AA-ca-%E8%AF%81%E4%B9%A6 使用上述您所建议的方式可以做到对多个上游的证书进行校验。但当我新增加一个上游时,我需要手动再修改.ca-bundle文件,将新增加上游的ca证书写入,然后需要再重启apisix加载新的.ca-bundle文件(不知道我理解的是否有误),如果这样的话的是否不太灵活,不能做到添加上游后热生效,请问对于动态校验上游证书,是否有更好的方式呢? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] whioue commented on issue #6418: bug: apisix failed to verify the validity of the server certificate
whioue commented on issue #6418: URL: https://github.com/apache/apisix/issues/6418#issuecomment-1212890082 > > 在upstream中只配置了client_cert和client_key,却没有client_ca字段, > > IMO, The CA certificate used for the mTLS connection between APISIX and upstream is > > ```yaml > apisix: > ssl: > ssl_trusted_certificate: /path/to/certs/ca-certificates.crt > ``` 我了解,但这样的话只能配置一个ca证书,如果有多个上游,并且多个上游使用不同的ca证书进行签发,这里只能满足配置一个。 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] whioue commented on issue #6418: bug: apisix failed to verify the validity of the server certificate
whioue commented on issue #6418: URL: https://github.com/apache/apisix/issues/6418#issuecomment-1048403905 > @whioue APISIX doesn't enable the `proxy_ssl_verify` directive, one of the solutions is enabling the `proxy_ssl_verify` by yourself, through the https://github.com/apache/apisix/blob/master/conf/config-default.yaml#L193. 在upstream中只配置了client_cert和client_key,却没有client_ca字段,我理解这样的话apisix到业务主机端并不是一个完整的双向认证,与https://github.com/apache/apisix/blob/master/docs/zh/latest/mtls.md文档中所述不完全相符。后续在upstream中有考虑引进设置client_ca用于验证服务端证书吗?  -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] whioue commented on issue #6418: bug: apisix failed to verify the validity of the server certificate
whioue commented on issue #6418: URL: https://github.com/apache/apisix/issues/6418#issuecomment-1047723879 > @whioue “服务端配置不合法的证书和密钥时”具体是什么意思,你有试过通过curl访问你的后端吗? 启动后置服务时加载ca证书和服务端证书、服务端密钥,但是服务端证书和私钥并不是此ca证书所签发的,正常来说apisix作为客户端来访问此服务时,双向认证时服务端会将此证书和密钥发送给apisix,而apisix并未校验出此证书和密钥不合法而是直接获取到了响应。当使用curl进行访问此服务时提示证书验证失败,不能正常访问获取请求。 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
