How to set Certificates and SNIs in Kong DB-less

I try to set Certificates in Kong DB-less my kong.yml look like this.

_format_version: "1.1"

services:
- name: test
  url: http://httpbin.org
  routes:
  - name: test
    hosts:
    - hello.test

certificates:
- cert: "-----BEGIN CERTIFICATE-----..."
  key: "-----BEGIN PRIVATE KEY-----..."
  snis: ["hello.test"]

Error from Kong (docker-compose logs)

kong       | 2019/08/15 10:14:41 [error] 19#0: init_by_lua error: /usr/local/share/lua/5.1/kong/init.lua:382: error parsing declarative config file /kong.conf.d/kong.yml:
kong       | in 'certificates':
kong       |   - in entry 1 of 'certificates':
kong       |     in 'snis':
kong       |       - in entry 1 of 'snis': expected a record
kong       |   Run with --v (verbose) or --vv (debug) for more details

I change snis to

  snis: "hello.test"

The error is

kong       | in 'certificates':
kong       |   - in entry 1 of 'certificates':
kong       |     in 'snis': expected an array

Any suggestion ?.
Thank you.

I think that should be:

snis:
- hello.test
snis:
- hello.test

Same error as

snis: [“hello.test”]

I run Kong in Docker with kong:1.3rc1 and add certificates via API, then use

kong config db_export kong.yml

kong.yml look like this worked for me with kong 1.2.x

_format_version: '1.1'
services:
- name: test
  url: http://httpbin.org
  routes:
  - name: test
    hosts:
    - hello.test

certificates:
- cert: "-----BEGIN CERTIFICATE-----..."
  key: "-----BEGIN PRIVATE KEY-----..."
  snis:
  - name: hello.test

Thank you @bungle for quick response :slight_smile:

Great! Sorry my bad, I should have tested it out. I am glad you found the right way!

Hi,

I’m using DB-less Kong 1.4 and can’t make it serve the correct certificate for my domain.

In my kong.yaml I have set the certificates object:

certificates:
  - snis:
      - name: mydomain.com
    key: |-
          -----BEGIN PRIVATE KEY-----
          -----END PRIVATE KEY-----
    cert: |-
          -----BEGIN CERTIFICATE-----
          -----END CERTIFICATE-----

And the host set on the route like on @narate 's example:

services:
  - name: test
    routes:
      - name: test
        paths:
          - /test/
        protocols:
          - https
        hosts:
          - mydomain.com
    url: http://httpbin.org

If I check the Admin API I can see that there is a SNI object, the matching certificate object also exists and the route object also has the matching host set.

However, when I do a request to my service Kong serves a self-signed certificate instead of my domain’s certificate.

Any idea of what I’m doing wrong?

Thank you.

How are you making the request to kong?

Sorry for the late response.

I was just using the web browser and curl to request https://mydomain.com/test/.
I tried reloading the config with kong reload and didn’t work but after restarting Kong’s POD (I’m using Kong inside k8s) and reloading the conf it worked.
I’ve must have been doing something wrong and didn’t realize :man_shrugging:


© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ