[GitHub] [apisix] tokers commented on issue #5650: request help: etcd tls connect handshake failed
tokers commented on issue #5650: URL: https://github.com/apache/apisix/issues/5650#issuecomment-1080073556 > @tokers It means I didn't provide the client certificate, when i use `-cert` and `-key` in openssl, it's ok. `Certificate host Mismatch` is an error reported by the client when trying to verify the server certificate. I will do more verification in my spare time to confirm the problem. Just like @hctech , If your ETCD certificate was signed by private CA, you can either: 1. disable ETCD TLS Verify option in APISIX config.yaml, or 2. add the ETCD CA certificate to the CA bundle and specified it in `ssl_trusted_certificate` option. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] tokers commented on issue #5650: request help: etcd tls connect handshake failed
tokers commented on issue #5650: URL: https://github.com/apache/apisix/issues/5650#issuecomment-987486570 > > Is this a self-signed certificate or signed by a private CA? Have you configured the `ssl_trusted_certificate` option? > > Yes, it's self-signed. You can see the configuration above, `ssl_trusted_certificate` has been set. > > If `verify` is set to true, an error "Certificate host Mismatch.",But I have no problem passing OpenSSL authentication Your OpenSSL authentication also reports a bad certificate alert: > verify return:1 140718298392464:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:s3_pkt.c:1493:SSL alert number 42 140718298392464:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177: -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] tokers commented on issue #5650: request help: etcd tls connect handshake failed
tokers commented on issue #5650: URL: https://github.com/apache/apisix/issues/5650#issuecomment-986595093 Is this a self-signed certificate or signed by a private CA? Have you configured the `ssl_trusted_certificate` option? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] tokers commented on issue #5650: request help: etcd tls connect handshake failed
tokers commented on issue #5650: URL: https://github.com/apache/apisix/issues/5650#issuecomment-986343505 If so, the TLS handshaking should succeed, @deepzz0 Could you try to capture some TLS handshaking packages? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] tokers commented on issue #5650: request help: etcd tls connect handshake failed
tokers commented on issue #5650: URL: https://github.com/apache/apisix/issues/5650#issuecomment-986172654 @deepzz0 Could you try to preserve only one node in the etcd host and set the SNI to its IP address and check out the result? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] tokers commented on issue #5650: request help: etcd tls connect handshake failed
tokers commented on issue #5650: URL: https://github.com/apache/apisix/issues/5650#issuecomment-986172595 I forget the details about lua-resty-http, I'm not sure whether it will set the SNI if the node is pure IP. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] tokers commented on issue #5650: request help: etcd tls connect handshake failed
tokers commented on issue #5650: URL: https://github.com/apache/apisix/issues/5650#issuecomment-986172345 @deepzz0 Please read our replies carefully. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [apisix] tokers commented on issue #5650: request help: etcd tls connect handshake failed
tokers commented on issue #5650: URL: https://github.com/apache/apisix/issues/5650#issuecomment-983196264 @deepzz0 Configure the SNI setting in etcd section. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
