Custom Dynamic Certificate not working


#1

Summary

I added my hostname certificate to Kong certificate but when i try to request with hostname Which is same with certificate sni, Kong alway using server default certificate. Some one please help me to fix this

Steps To Reproduce

  1. Add certificate via postman (x-www-form-urlencoded) or via Kong Dashboard (I try both)
    It work fine. My certificate strurture is
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

snis:

xxx.com
tracker-dev.xxx.com
  1. call curl get certificate
{
    "next": null,
    "data": [
        {
            "created_at": 1542788989,
            "cert": "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----",
            "id": "3ff5dd22-389e-41cb-9032-cb1f2837be96",
            "key": "-----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY-----",
            "snis": [
                "xxx.com",
                "tracker-dev.xxx.com"
            ]
        }
    ]
}
  • Call curl get snis
{
    "next": null,
    "data": [
        {
            "certificate": {
                "id": "3ff5dd22-389e-41cb-9032-cb1f2837be96"
            },
            "created_at": 1542789008,
            "name": "xxx.com",
            "id": "316ba693-809d-4498-8cc3-6c733966387e"
        },
        {
            "certificate": {
                "id": "3ff5dd22-389e-41cb-9032-cb1f2837be96"
            },
            "created_at": 1542789008,
            "name": "tracker-dev.xxx.com",
            "id": "516eecb9-9b53-4384-a73e-499ee8dde721"
        }
    ]
}
  1. I added service and route with Host is tracker-dev.xxx.com, path is : /wss
  2. Add entry 127.0.0.1 tracker-dev.xxx.com to /etc/hosts
  3. Try to call curl
curl -v -k -i https://tracker-dev.xxx.com:8443/wss
  • Result:
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to tracker-dev.xxx.com (127.0.0.1) port 8443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Kong; OU=IT Department; CN=localhost
*  start date: Nov 21 07:14:14 2018 GMT
*  expire date: Dec 21 07:14:14 2018 GMT
*  issuer: C=US; ST=California; L=San Francisco; O=Kong; OU=IT Department; CN=localhost
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET /wss HTTP/1.1
> Host: tracker-dev.xxx.com:8443
> User-Agent: curl/7.61.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
HTTP/1.1 404 Not Found
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Content-Length: 139
Content-Length: 139
< Connection: keep-alive
Connection: keep-alive
< X-Powered-By: Express
X-Powered-By: Express
< Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: *
< Content-Security-Policy: default-src 'self'
Content-Security-Policy: default-src 'self'
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Date: Wed, 21 Nov 2018 08:56:51 GMT
Date: Wed, 21 Nov 2018 08:56:51 GMT
< X-Kong-Upstream-Latency: 5
X-Kong-Upstream-Latency: 5
< X-Kong-Proxy-Latency: 5
X-Kong-Proxy-Latency: 5
< Via: kong/0.14.1
Via: kong/0.14.1

<
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET /</pre>
</body>
</html>
* Connection #0 to host tracker-dev.xxx.com left intact

Additional Details & Logs

  • I used Kong via Kong helm chart version (0.6.3), connect to Kong via k8s node port
  • Kong version (0.14.1)

#2

Are you deploying Kong with Ingress controller or without the helm chart?

Could you share the variables you override for helm install stable/kong?


#3

Hi hbagdi, I’ve done with this.
when i try to use kong-ingress-controller, and Add k8s Certificate resource, it work perfectly, but when i manual add certificate directly to Kong, it not work :frowning: .
I’ve an extra question:
I deploy kong via helm chart, how i open 2 proxy port, one for http , one for https ? . Because i want to use Let’s encrypt certmanager, it verify domain via http request


#4

Ingress controller takes care of configuring all of Kong. If you create anything in Kong manually, Ingress controller will delete it. So I recommend you configure k8s certificate and then use TLS section in Ingress to associate the cert with a Route.

You can add KONG_PROXY_LISTEN to .Values.env and have both a TLS and nonTLS port.
You’ll have to patch the service object of kong-proxy to include the port.

Helm chart out of the box doesn’t support HTTP and HTTPS port at the same time. I do understand that this is not optimal and we would like to change.

PRs welcome!