Summary
I added my hostname certificate to Kong certificate but when i try to request with hostname Which is same with certificate sni, Kong alway using server default certificate. Some one please help me to fix this
Steps To Reproduce
- Add certificate via postman (x-www-form-urlencoded) or via Kong Dashboard (I try both)
It work fine. My certificate strurture is
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
snis:
xxx.com
tracker-dev.xxx.com
- call curl get certificate
{
"next": null,
"data": [
{
"created_at": 1542788989,
"cert": "-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----",
"id": "3ff5dd22-389e-41cb-9032-cb1f2837be96",
"key": "-----BEGIN RSA PRIVATE KEY----- ... -----END RSA PRIVATE KEY-----",
"snis": [
"xxx.com",
"tracker-dev.xxx.com"
]
}
]
}
- Call curl get snis
{
"next": null,
"data": [
{
"certificate": {
"id": "3ff5dd22-389e-41cb-9032-cb1f2837be96"
},
"created_at": 1542789008,
"name": "xxx.com",
"id": "316ba693-809d-4498-8cc3-6c733966387e"
},
{
"certificate": {
"id": "3ff5dd22-389e-41cb-9032-cb1f2837be96"
},
"created_at": 1542789008,
"name": "tracker-dev.xxx.com",
"id": "516eecb9-9b53-4384-a73e-499ee8dde721"
}
]
}
- I added service and route with Host is tracker-dev.xxx.com, path is : /wss
- Add entry 127.0.0.1 tracker-dev.xxx.com to /etc/hosts
- Try to call curl
curl -v -k -i https://tracker-dev.xxx.com:8443/wss
- Result:
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to tracker-dev.xxx.com (127.0.0.1) port 8443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=California; L=San Francisco; O=Kong; OU=IT Department; CN=localhost
* start date: Nov 21 07:14:14 2018 GMT
* expire date: Dec 21 07:14:14 2018 GMT
* issuer: C=US; ST=California; L=San Francisco; O=Kong; OU=IT Department; CN=localhost
* SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET /wss HTTP/1.1
> Host: tracker-dev.xxx.com:8443
> User-Agent: curl/7.61.0
> Accept: */*
>
< HTTP/1.1 404 Not Found
HTTP/1.1 404 Not Found
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Content-Length: 139
Content-Length: 139
< Connection: keep-alive
Connection: keep-alive
< X-Powered-By: Express
X-Powered-By: Express
< Access-Control-Allow-Origin: *
Access-Control-Allow-Origin: *
< Content-Security-Policy: default-src 'self'
Content-Security-Policy: default-src 'self'
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Date: Wed, 21 Nov 2018 08:56:51 GMT
Date: Wed, 21 Nov 2018 08:56:51 GMT
< X-Kong-Upstream-Latency: 5
X-Kong-Upstream-Latency: 5
< X-Kong-Proxy-Latency: 5
X-Kong-Proxy-Latency: 5
< Via: kong/0.14.1
Via: kong/0.14.1
<
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Error</title>
</head>
<body>
<pre>Cannot GET /</pre>
</body>
</html>
* Connection #0 to host tracker-dev.xxx.com left intact
Additional Details & Logs
- I used Kong via Kong helm chart version (0.6.3), connect to Kong via k8s node port
- Kong version (
0.14.1
)