self signed certificate in certificate chain when executing kong migrations for the first time

[jash...@gmail.com]

Hi,
We have have a cassandra multi node installed with ssl enabled.
When we attempt the 'kong migrations up', we get the error:

Error:
/usr/local/share/lua/5.1/kong/cmd/migrations.lua:34: [cassandra error] could not find coordinator: all hosts tried for query failed. my.server.com: SSL handshake: 19: self signed certificate in certificate chain. my.server.com: SSL handshake: 19: self signed certificate in certificate chain. my.server.com: SSL handshake: 19: self signed certificate in certificate chain
stack traceback:
        [C]: in function 'assert'

Is this a problem because kong doesn't like self-signed certs being present in the cassandra trust chain?

This is our kong.conf: (don't pay any attention to the server names, I made them up)
  
    

admin_listen = 127.0.0.1:13081
admin_ssl = off
cassandra_consistency = LOCAL_QUORUM
cassandra_contact_points = my016.server.com,my017.server.com,my018.server.com
cassandra_data_centers = DC1:2,DC2:2
cassandra_keyspace = gw
cassandra_lb_policy = DCAwareRoundRobin
cassandra_local_datacenter = DC2
cassandra_password = xxxxxx
cassandra_port = 10012
cassandra_repl_strategy = NetworkTopologyStrategy
cassandra_ssl = on
cassandra_ssl_verify = on
cassandra_username = user
database = cassandra
db_update_propagation = 180
log_level = debug
lua_ssl_trusted_certificate = /opt/app/myserver/apps/gw/certs/CA.crt
lua_ssl_verify_depth = 1
nginx_user = nginxuser
prefix = /opt/app/myserver/apps/gw
proxy_listen = 127.0.0.1:13080
proxy_listen_ssl = myserver.com:13443
ssl_cert_key = /opt/app/myserver/apps/lmsgw/certs/MYKEY.key
ssl_cert = /opt/app/myserver/apps/gw/certs/MYPEMCERT.cer

Thanks for any ideas you may have!

[Thibault Charbonnier]

Hi,

Have you set the Certificate Authority of your self-signed certificate
in the lua_ssl_trusted_certificate property?

https://github.com/Kong/kong/blob/0.11.2/kong.conf.default#L471-L476


By the way, we recently deprecated the usage of this mailing list, and
launched our forum, Kong Nation, at:

https://discuss.konghq.com/

We believe you will get better support there over time and hope for it
to grow into a searchable knowledge base for the community :)

Best,
Thibault

> --
> You received this message because you are subscribed to the Google
> Groups "Kong" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to konglayer+...@googlegroups.com
> <mailto:konglayer+...@googlegroups.com>.
> To post to this group, send email to kong...@googlegroups.com
> <mailto:kong...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/konglayer.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/konglayer/54d3f273-15b0-45da-838f-d9528aa18e7d%40googlegroups.com
> <https://groups.google.com/d/msgid/konglayer/54d3f273-15b0-45da-838f-d9528aa18e7d%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.