Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-1430

SSL doesn't work with Path Routing

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • None
    • 2.3 GA
    • Gateway
    • None

    Description

      When APICAST_HTTPS_ env vars are used to configure SSL certs, enabling path routing (APICAST_PATH_ROUTING) results in request failure.

      Steps to reproduce:

      (Note: ACCESS-TOKEN, DOMAIN and USERKEY are placeholders)

      1. Clone the APIcast repo and go to the add-ssl example folder: https://github.com/3scale/apicast/tree/master/examples/add-ssl

      2. Start APIcast as Docker container:

      docker run \
  --env APICAST_HTTPS_PORT=8443 --publish 8443:8443 \
  --env THREESCALE_PORTAL_ENDPOINT=https://ACCESS-TOKEN@DOMAIN-admin.3scale.net \
  --volume $(pwd)/cert:/var/run/secrets/apicast \
  --env APICAST_HTTPS_CERTIFICATE=/var/run/secrets/apicast/server.crt \
  --env APICAST_HTTPS_CERTIFICATE_KEY=/var/run/secrets/apicast/server.key \
  --env APICAST_CONFIGURATION_LOADER=lazy \
  --env APICAST_CONFIGURATION_CACHE=0 \
  --env APICAST_PATH_ROUTING=true \
  registry.access.redhat.com/3scale-amp23/apicast-gateway:latest apicast -vvv

      2. Run a curl command (from the same folder):

      curl -v "https://localhost:8443/some-path?user_key=USERKEY" --cacert cert/server.crt

      Expected result:

      The call passes and the response is returned.

      Current result:

      The error that curl gets:

      curl: (35) Unknown SSL protocol error in connection to localhost:-9838

      APIcast logs:

      2018/10/18 10:54:20 [info] 29#29: *28 [lua] configuration_loader.lua:180: auto updating configuration finished successfuly, context: ngx.timer
2018/10/18 10:54:34 [debug] 29#29: *32 [lua] executor.lua:25: ssl_certificate(): executor phase: ssl_certificate
2018/10/18 10:54:34 [debug] 29#29: *32 [lua] policy_chain.lua:162: ssl_certificate(): policy chain execute phase: ssl_certificate, policy: Load Configuration, i: 1
2018/10/18 10:54:34 [debug] 29#29: *32 [lua] policy_chain.lua:162: ssl_certificate(): policy chain execute phase: ssl_certificate, policy: Find Service Policy, i: 2
2018/10/18 10:54:34 [error] 29#29: *32 lua entry thread aborted: runtime error: /usr/local/openresty/lualib/resty/core/request.lua:247: API disabled in the current context
stack traceback:
coroutine 0:
	[C]: in function 'error'
	/usr/local/openresty/lualib/resty/core/request.lua:247: in function 'get_method'
	...oot/src/src/apicast/policy/find_service/find_service.lua:30: in function 'find_service'
	...oot/src/src/apicast/policy/find_service/find_service.lua:74: in function <...oot/src/src/apicast/policy/find_service/find_service.lua:73>
	/opt/app-root/src/src/apicast/policy_chain.lua:163: in function 'ssl_certificate'
	ssl_certificate_by_lua:1: in function <ssl_certificate_by_lua:1>, context: ssl_certificate_by_lua*, client: 172.17.0.1, server: 0.0.0.0:8443
2018/10/18 10:54:34 [crit] 29#29: *31 SSL_do_handshake() failed (SSL: error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error) while SSL handshaking, client: 172.17.0.1, server: 0.0.0.0:8443

      Seems that that's because ngx.req.get_method is called in the ssl_certificate phase, and it's not supported by OpenResty: https://github.com/openresty/lua-nginx-module#ngxreqget_method

      Attachments

        Activity

          People

            dortiz-1 David Ortiz (Inactive)
            rhn-support-dmayorov Daria Mayorova
            Peter Stanko Peter Stanko (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: