hansedong commented on issue #9801: URL: https://github.com/apache/apisix/issues/9801#issuecomment-1635697365
> @hansedong could you confirm again the openresty version is really 1.21.4.1? And please share your route & ssl config (please mask the cert and key content) via admin API. APISIX and OpenResty version information is as follows (including the retrieval command) @kingluo ``` [root@knode10-72-73-177 logs]# apisix version /usr/local/openresty//luajit/bin/luajit /usr/local/apisix/apisix/cli/apisix.lua version 3.4.0 [root@knode10-72-73-177 logs]# openresty -V nginx version: openresty/1.21.4.1 built by gcc 9.3.1 20200408 (Red Hat 9.3.1-2) (GCC) built with OpenSSL 1.1.1s 1 Nov 2022 TLS SNI support enabled configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DAPISIX_BASE_VER=1.21.4.1.8 -DNGX_GRPC_CLI_ENGINE_PATH=/usr/local/openresty/libgrpc_engine.so -DNGX_HTTP_GRPC_CLI_ENGINE_PATH=/usr/local/openresty/libgrpc_engine.so -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include' --add-module=../ngx_devel_kit-0.3.1 --add-module=../echo-nginx-module-0.62 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.33 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.09 --add-module=../srcache-nginx-module-0.32 --add-module=../ngx_lua-0.10.21 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.33 --add-module=../array-var-nginx-module-0.05 --add-module=../memc-nginx-module-0.19 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.9 --ad d-module=../ngx_stream_lua-0.0.11 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -Wl,-rpath,/usr/local/openresty/wasmtime-c-api/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl111/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl111/lib' --add-module=/tmp/tmp.YzVafXtnkf/openresty-1.21.4.1/../mod_dubbo-1.0.2 --add-module=/tmp/tmp.YzVafXtnkf/openresty-1.21.4.1/../ngx_multi_upstream_module-1.1.1 --add-module=/tmp/tmp.YzVafXtnkf/openresty-1.21.4.1/../apisix-nginx-module-1.12.0 --add-module=/tmp/tmp.YzVafXtnkf/openresty-1.21.4.1/../apisix-nginx-module-1.12.0/src/stream --add-module=/tmp/tmp.YzVafXtnkf/openresty-1.21.4.1/../apisix-nginx-module-1.12.0/src/meta --add-module=/tmp/tmp.YzVafXtnkf/openresty-1.21.4.1/../wasm-nginx-module-0.6.4 --add-module=/tmp/tmp.YzVafXtnkf/openresty-1.21.4.1/../lua-var-nginx-module-v0.5.3 --add-module=/tmp/tmp.YzVafXtnkf/openresty-1.21.4.1/../grp c-client-nginx-module-v0.4.2 --with-poll_module --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_v2_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --with-compat --with-stream --with-http_ssl_module ``` the route info ``` curl "http://10.72.8.63:9180/apisix/admin/routes/468131118424524075"; -H "X-API-KEY: xxxxxxx" ``` ```json { "value": { "uri": "/*", "labels": { "env-type": "dev", "ops": "ops" }, "name": "ops-dev-aos-ab", "host": "aos.ab", "create_time": 1688557490, "id": "468131118424524075", "plugins": { "proxy-rewrite": { "host": "aosab.inner.do" }, "redirect": { "http_to_https": true } }, "upstream": { "type": "roundrobin", "nodes": [ { "host": "10.72.79.4", "weight": 1, "port": 80 } ], "timeout": { "send": 6, "connect": 6, "read": 6 }, "pass_host": "pass", "scheme": "http", "keepalive_pool": { "requests": 1000, "size": 320, "idle_timeout": 60 } }, "enable_websocket": true, "status": 1, "update_time": 1688622920 }, "key": "/apisix/routes/468131118424524075", "createdIndex": 10069, "modifiedIndex": 21124 } ``` the ssl info ``` curl "http://10.72.8.63:9180/apisix/admin/ssls/415462858613065003"; -H "X-API-KEY: xxxxxxx" ``` ``` { "value": { "validity_end": 1720581780, "validity_start": 1689045780, "create_time": 1657164761, "id": "415462858613065003", "cert": "-----BEGIN CERTIFICATE-----\nXXXXXXX\n-----END CERTIFICATE-----", "snis": [ "www.aos.ab", "m.aos.ab", "youji.m.aos.ab", "*.youyudf.aos.ab", "*.aos.ab", "aos.ab" ], "status": 1, "update_time": 1689046536 }, "key": "/apisix/ssls/415462858613065003", "createdIndex": 5631, "modifiedIndex": 104568 } ``` I need to provide a few additional pieces of information: 1. My certificate is a private TLS certificate issued internally by the company, and my operating system (MacOS) has already trusted this certificate. 2. When encountering a 500 error while accessing in Chrome browser, the lock icon in the browser's address bar is normal (meaning that there are no certificate errors reported by the browser). 3. One important point is that when I encounter a 500 error in Chrome, it works fine through Safari and Firefox. However, regardless of the browser, accessing via WSS (websocket over tls) always results in a 500 error. 5. Now, after removing the Lua code for mtls, the 500 error no longer occurs and WSS has also returned to normal. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
