Details
-
Bug
-
Resolution: Done
-
Major
-
None
-
2.3 GA
-
None
Description
When APICAST_HTTPS_ env vars are used to configure SSL certs, enabling path routing (APICAST_PATH_ROUTING) results in request failure.
Steps to reproduce:
(Note: ACCESS-TOKEN, DOMAIN and USERKEY are placeholders)
1. Clone the APIcast repo and go to the add-ssl example folder: https://github.com/3scale/apicast/tree/master/examples/add-ssl
2. Start APIcast as Docker container:
docker run \ --env APICAST_HTTPS_PORT=8443 --publish 8443:8443 \ --env THREESCALE_PORTAL_ENDPOINT=https://ACCESS-TOKEN@DOMAIN-admin.3scale.net \ --volume $(pwd)/cert:/var/run/secrets/apicast \ --env APICAST_HTTPS_CERTIFICATE=/var/run/secrets/apicast/server.crt \ --env APICAST_HTTPS_CERTIFICATE_KEY=/var/run/secrets/apicast/server.key \ --env APICAST_CONFIGURATION_LOADER=lazy \ --env APICAST_CONFIGURATION_CACHE=0 \ --env APICAST_PATH_ROUTING=true \ registry.access.redhat.com/3scale-amp23/apicast-gateway:latest apicast -vvv
2. Run a curl command (from the same folder):
curl -v "https://localhost:8443/some-path?user_key=USERKEY" --cacert cert/server.crt
Expected result:
The call passes and the response is returned.
Current result:
The error that curl gets:
curl: (35) Unknown SSL protocol error in connection to localhost:-9838
APIcast logs:
2018/10/18 10:54:20 [info] 29#29: *28 [lua] configuration_loader.lua:180: auto updating configuration finished successfuly, context: ngx.timer 2018/10/18 10:54:34 [debug] 29#29: *32 [lua] executor.lua:25: ssl_certificate(): executor phase: ssl_certificate 2018/10/18 10:54:34 [debug] 29#29: *32 [lua] policy_chain.lua:162: ssl_certificate(): policy chain execute phase: ssl_certificate, policy: Load Configuration, i: 1 2018/10/18 10:54:34 [debug] 29#29: *32 [lua] policy_chain.lua:162: ssl_certificate(): policy chain execute phase: ssl_certificate, policy: Find Service Policy, i: 2 2018/10/18 10:54:34 [error] 29#29: *32 lua entry thread aborted: runtime error: /usr/local/openresty/lualib/resty/core/request.lua:247: API disabled in the current context stack traceback: coroutine 0: [C]: in function 'error' /usr/local/openresty/lualib/resty/core/request.lua:247: in function 'get_method' ...oot/src/src/apicast/policy/find_service/find_service.lua:30: in function 'find_service' ...oot/src/src/apicast/policy/find_service/find_service.lua:74: in function <...oot/src/src/apicast/policy/find_service/find_service.lua:73> /opt/app-root/src/src/apicast/policy_chain.lua:163: in function 'ssl_certificate' ssl_certificate_by_lua:1: in function <ssl_certificate_by_lua:1>, context: ssl_certificate_by_lua*, client: 172.17.0.1, server: 0.0.0.0:8443 2018/10/18 10:54:34 [crit] 29#29: *31 SSL_do_handshake() failed (SSL: error:1417A179:SSL routines:tls_post_process_client_hello:cert cb error) while SSL handshaking, client: 172.17.0.1, server: 0.0.0.0:8443
Seems that that's because ngx.req.get_method is called in the ssl_certificate phase, and it's not supported by OpenResty: https://github.com/openresty/lua-nginx-module#ngxreqget_method