How to set Certificates and SNIs in Kong DB-less

I try to set Certificates in Kong DB-less my kong.yml look like this.

_format_version: "1.1"

services:
- name: test
  url: http://httpbin.org
  routes:
  - name: test
    hosts:
    - hello.test

certificates:
- cert: "-----BEGIN CERTIFICATE-----..."
  key: "-----BEGIN PRIVATE KEY-----..."
  snis: ["hello.test"]

Error from Kong (docker-compose logs)

kong       | 2019/08/15 10:14:41 [error] 19#0: init_by_lua error: /usr/local/share/lua/5.1/kong/init.lua:382: error parsing declarative config file /kong.conf.d/kong.yml:
kong       | in 'certificates':
kong       |   - in entry 1 of 'certificates':
kong       |     in 'snis':
kong       |       - in entry 1 of 'snis': expected a record
kong       |   Run with --v (verbose) or --vv (debug) for more details

I change snis to

  snis: "hello.test"

The error is

kong       | in 'certificates':
kong       |   - in entry 1 of 'certificates':
kong       |     in 'snis': expected an array

Any suggestion ?.
Thank you.

I think that should be:

snis:
- hello.test
snis:
- hello.test

Same error as

snis: [“hello.test”]

I run Kong in Docker with kong:1.3rc1 and add certificates via API, then use

kong config db_export kong.yml

kong.yml look like this worked for me with kong 1.2.x

_format_version: '1.1'
services:
- name: test
  url: http://httpbin.org
  routes:
  - name: test
    hosts:
    - hello.test

certificates:
- cert: "-----BEGIN CERTIFICATE-----..."
  key: "-----BEGIN PRIVATE KEY-----..."
  snis:
  - name: hello.test

Thank you @bungle for quick response :slight_smile:

Great! Sorry my bad, I should have tested it out. I am glad you found the right way!

Hi,

I’m using DB-less Kong 1.4 and can’t make it serve the correct certificate for my domain.

In my kong.yaml I have set the certificates object:

certificates:
  - snis:
      - name: mydomain.com
    key: |-
          -----BEGIN PRIVATE KEY-----
          -----END PRIVATE KEY-----
    cert: |-
          -----BEGIN CERTIFICATE-----
          -----END CERTIFICATE-----

And the host set on the route like on @narate 's example:

services:
  - name: test
    routes:
      - name: test
        paths:
          - /test/
        protocols:
          - https
        hosts:
          - mydomain.com
    url: http://httpbin.org

If I check the Admin API I can see that there is a SNI object, the matching certificate object also exists and the route object also has the matching host set.

However, when I do a request to my service Kong serves a self-signed certificate instead of my domain’s certificate.

Any idea of what I’m doing wrong?

Thank you.

How are you making the request to kong?

Sorry for the late response.

I was just using the web browser and curl to request https://mydomain.com/test/.
I tried reloading the config with kong reload and didn’t work but after restarting Kong’s POD (I’m using Kong inside k8s) and reloading the conf it worked.
I’ve must have been doing something wrong and didn’t realize :man_shrugging:

I am stuck at a similar problem. And it’s not solving after following the above.

Following is my declarative.yaml

_format_version: "2.1"
_transform: true

services:
  - name: re8village
    url: https://www.google.com/search?q=re8village
    routes:
      - paths:
          - /re8village
        methods:
          - GET
          - POST
          - OPTIONS
          - PUT
        hosts:
          - rakib.example.com
        strip_path: true
        protocols:
          - https

certificates:
  - snis:
      - name: rakib.example.com
    cert: |-
      -----BEGIN CERTIFICATE-----
      MIIDVDCCAjygAwIBAgIUA/2se+EA3JOCU04Hp0nbSvQldGIwDQYJKoZIhvcNAQEL
      BQAwPTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5ZMQwwCgYDVQQHEwNOWUMxEzAR
      BgNVBAMTCmxvY2FsLWNlcnQwHhcNMjIxMTIzMjAzNzMyWhcNMzIxMTIzMjAzNzMy
      WjA9MQswCQYDVQQGEwJVUzELMAkGA1UECBMCTlkxDDAKBgNVBAcTA05ZQzETMBEG
      A1UEAxMKbG9jYWwtY2VydDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
      AMmnXr/EeMMSNQRfehTzsAL1TR/E6jcZPZwvvfB7SvGt50eMfwl2H7111SCbFJxH
      pM6yoTfnE4SUHIp9AGU7uTMmt4dWFSGWzi7PSDipwmoJkaKiWvcZLRKF6GePPfo5
      U3NZydvO4gsJvwyejtSFewaSErM3ZTrTLHa2ZRD4Z8aZ+8jPwJhAPW7bHjRIzz1B
      q2hQYpctCdZWQyr2DaDAeRKK+KL0P3c03qB2N0iU+YPp8lNodgsuGetNzGyWuTUT
      5gvSNQhYPEqQoHe5WSYkOyM/NZxWo2qEvAup9zfT1EdlnoN4efsPY0q+5ced33rB
      VdFVgqcXl10C4Qo6KyNCoHMCAwEAAaNMMEowCQYDVR0TBAIwADARBglghkgBhvhC
      AQEEBAMCBPAwCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEF
      BQcDATANBgkqhkiG9w0BAQsFAAOCAQEAoZNxCd8I2sY6ryDybdUH77DmxuyNhA1f
      Y6MbJfD/KWnzKD0rFwmDd1cLjBXS4YT10A9+Zx0CeWX1L4G1BbsSxFi1uUkZin10
      9tGhRukPFZJGO6p5HnBrRDeezD5NmpmSJUW+LR40nEFp79eGSE8gakCkhbRenzW2
      UZEDiNaEs05ktEf3vegkM5a/ybc6QqzSgtoOP2RlE5QhLOno1JG4pSahbzdGsKmo
      P/NToISFhlKs14aFUM6H0148iz9y6+4AdF0cEv53wrLAGM2t92M0OMlNfmcVY5AA
      DLtjudKcSkKXfWoTUN+KcdaxdhzhuqQ1KDegfOZSYrp2pRO7uqohbQ==
      -----END CERTIFICATE-----
    key: |-
      -----BEGIN RSA PRIVATE KEY-----
      ....
      MIIEpQIBAAKCAQEAyadev8R4wxI1BF96FPOwAvVNH8TqNxk9nC+98HtK8a3nR4x/
      ....
      -----END RSA PRIVATE KEY-----

However when i visit rakib.example.com/re8village in chrome browser, i am getting the following error:

This site can’t provide a secure connection

rakib.example.com sent an invalid response.

ERR_SSL_PROTOCOL_ERROR

Where am i doing wrong?

try a contained upstream like this: Docker Hub

i don´t know if google accepts this redirect with a different host.

The configuration seems ok

You are right. The declarative.yaml configuration was correct for the SSL setup. What i had missing was i did not open the SSL port in my proxy_listen configuration from the environment variable :man_facepalming:

KONG_PROXY_LISTEN: "0.0.0.0:8080, 0.0.0.0:8443 ssl"

While my non-ssl port was open at 8080, i did not turn on the ssl port. Adding it solved my ERR_SSL_PROTOCOL_ERROR / ERR_CONNECTION_CLOSED problems.

Reference: