mTLS Setup returns 'TLS certificate failed verification'

I can’t seem to find what is wrong with my mTLS setup:

Firstly using HTTPS for traffic:

  1. I have a private, and public key created for my Kong Enterprise server, as well as the CAs (DigiCert) certificates which issued the keys
  2. using Kong Manager, and the Certificates Menu option, I add my public/private keys in the Certificates tab, and, CA Certificates in the CA Certificates tab.
  3. I use the SNI menu to create an SNI entry with my Kong server as the SNI name, and link this the uploaded certificate defined in the previous step

Using Postman, I can make an HTTPS API request, and I see that this works well. The certificate returned by Kong is no longer the default self-signed cert, and this is accepted by POSTMAN.

Now I want to setup mTLS…

  • I add the mTLS plugin, and specify the CA Certificate IDs from the ones entered in #2 above. These are the intermediary and root CA’s which signed the server’s keys.
  • I setup my POSTMAN client with the same private/public and CA certs used in #1/#2 above and make another call.

Kong returns “TLS certificate failed verification” - which the documentation says means the certificate presented by the client could not be verified or has expired. I know it has not expired, and the certificate presented from the POSTMAN client has been issued by the CA’s certs I have entered in the plug-in.

So I do not know where to go from here.

Steve

Hi Steve, did you try to use this same digicert TLS certificate for mTLS? (personally I never did that but it might work)

If so, I don’t see you creating consumer object. Did you create a consumer with username that match the digicert certificate CN?

You should also get more information from debug log.

Hi
Thanks for this. Yes, using the same digicert TLS Cert for mTLS should work.

You are correct - I did not setup a consumer object. I did not think this was required, and obviously missed that. After setting up a consumer with name = the CN of the certificate, my mTLS seems to work just fine.

Thanks you very much !!
Steve


© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ