[Kong Data Plane] Unable to verify the first certificate - Self Signed Certificate

Rehan_Azher · April 9, 2024, 1:19am

Hi ,

I am trying to setup Kong Enterprise (Free Mode) in my development environment using Self-signed SSL Certificate. During Data plane deployment it gives me below error:

2024/04/09 00:53:50 [error] 2420#0: *1581 [lua] telemetry.lua:224: connection to control plane wss://kong-cp-kong-clustertelemetry.kong.svc.cluster.local:8006/v1/ingest?node_id=b0ac1066-414f-461f-8dab-1cacdda6c7a6&node_hostname=kong-dp-kong-8ff7674dd-4pwsr&node_version=3.6.1.2 broken: ssl handshake failed: 21: unable to verify the first certificate retrying after 10 seconds. please check configs "cluster_telemetry_endpoint", "cluster_telemetry_server_name", "cluster_server_name" or "cluster_mtls"., context: ngx.timer

I have read somewhere for self-signed SSL certificate we need to disable SSL Verification on data plane. How do we achieve this when deploying in Kubernetes .

My Control Plane Configuration is as following:

# Do not use Kong Ingress Controller
ingressController:
  enabled: false
image:
  repository: kong/kong-gateway
  tag: "3.6.1.2"

# Mount the secret created earlier
secretVolumes:
  - kong-tls

env:
  # This is a control_plane node
  role: control_plane
  # These certificates are used for control plane / data plane communication
  cluster_cert: /etc/secrets/kong-tls/tls.crt
  cluster_cert_key: /etc/secrets/kong-tls/tls.key

  # Database
  # CHANGE THESE VALUES
  database: postgres
  pg_database: kong
  pg_user: kong
  pg_password: mypassword
  pg_host: kong-cp-postgresql.kong.svc.cluster.local
  pg_ssl: "on"

  # Kong Manager password
  password: mypassword

# Enable enterprise functionality
enterprise:
  enabled: false
  license_secret: kong-enterprise-license

# The control plane serves the Admin API
admin:
  enabled: true
  http:
    enabled: true

# Clustering endpoints are required in hybrid mode
cluster:
  enabled: true
  tls:
    enabled: true

clustertelemetry:
  enabled: true
  tls:
    enabled: true

# Optional features
manager:
  enabled: true

# These roles will be served by different Helm releases
proxy:
  enabled: false
postgresql:
   enabled: true
   auth:
     password: mypassword

My Data plane config is as following:


ingressController:
  enabled: false
image:
  repository: kong/kong-gateway
  tag: "3.6.1.2"

# Mount the secret created earlier
secretVolumes:
  - kong-tls

env:
  # data_plane nodes do not have a database
  role: data_plane
  database: "off"

  # Tell the data plane how to connect to the control plane
  cluster_control_plane: kong-cp-kong-cluster.kong.svc.cluster.local:8005
  cluster_telemetry_endpoint: kong-cp-kong-clustertelemetry.kong.svc.cluster.local:8006

  # Configure control plane / data plane authentication
  lua_ssl_trusted_certificate: /etc/secrets/kong-tls/tls.crt
  cluster_cert: /etc/secrets/kong-tls/tls.crt
  cluster_cert_key: /etc/secrets/kong-tls/tls.key

# Enable enterprise functionality
enterprise:
  enabled: true
  license_secret: kong-enterprise-license

# The data plane handles proxy traffic only
proxy:
  enabled: true

# These roles are served by the kong-cp deployment
admin:
  enabled: false

manager:
  enabled: false

Am i doing something wrong , or is there a way to deploy kong for dev environment using self signed SSL Cert.

Rehan_Azher · April 10, 2024, 1:55pm

To add more context , below is my manifest for certificates:

$ more kong-certs.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: kong-ca
  namespace: kong
spec:
  isCA: true
  commonName: kong-ca
  secretName: root-secret
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: selfsigned-issuer
    kind: ClusterIssuer
    group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: ca-issuer
  namespace: kong
spec:
  ca:
    secretName: root-secret
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: kong-gateway
  namespace: kong
spec:
  secretName: kong-tls
  duration: 2160h
  renewBefore: 360h
  subject:
    organizations:
      - HomeLab
  isCA: false
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
  usages:
    - server auth
    - client auth
  commonName: kong.homelab.int
  dnsNames:
    - kong.homelab.int
  issuerRef:
    name: ca-issuer
    kind: Issuer

Rehan_Azher · April 11, 2024, 2:07am

Any help please . I am stuck with this issue past 04 days , need help.

Rehan_Azher · April 12, 2024, 1:08am

I managed to resolve this issue, looks like something is wrong with my Certificate . I created SSL Cert & key using openssl and then passed it to the pods and everything started to work fine.

I need to have some deep inspection on how cert manager generates SSL certs.

system · April 15, 2024, 9:21am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Kong ingress controller with CP and postgres? Questions	0	608	June 14, 2021
[Solved] Kong ingress using own cert instead of Ingress-specified Kubernetes	3	3454	March 5, 2021
Kong Ingress Controller Default certificate Kubernetes	2	820	January 8, 2022
Hybrid Mode - Certificate on control-plane Kubernetes	2	586	June 27, 2022
How to override Kong Gateway default certificates in Kubernetes	4	1263	December 6, 2023

[Kong Data Plane] Unable to verify the first certificate - Self Signed Certificate

Related Topics