Re: SSL by Admin API VS SSL by kong.conf
92 views
Skip to first unread message
Thibault Charbonnier
Nov 21, 2017, 12:25:44 PM11/21/17
to kong...@googlegroups.com
Hi,
It is likely that your client is not sending the appropriate SNI during
the client hello phase. Make sure that the following returns your
configured certificate:
openssl s_client -servername <sni> -connect <kong_ip>:8443
In the absence of a recognized SNI, Kong is serving the default SSL
certificate which, in your case, is the self-signed, auto-generated one
(since you did not specify one in kong.conf).
Regards,
Thibault
On 11/21/17 7:32 AM, geoffroy vibrac wrote:
> Hi,
>
> I try to add a certificat (generated with let's encrypt) with the API. I
> perform a POST to /certificates and it's OK, the GET send me the cert
> and the key I send before.
>
> But https doesn't works... I have an ERR_CERT_AUTHORITY_INVALID because
> nginx send me another certificate (autosigned one)
>
> I didn't update my kong.conf file so ssl_cert & ssl_cert_key are empty.
>
> Have I forgotten something?
>
> Thanks
>
> --
> You received this message because you are subscribed to the Google
> Groups "Kong" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to konglayer+...@googlegroups.com
> <mailto:konglayer+...@googlegroups.com>.
> To post to this group, send email to kong...@googlegroups.com
> <mailto:kong...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/konglayer.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/konglayer/e69fb7da-02a8-47b2-a47a-134cfe6d84b9%40googlegroups.com
> <https://groups.google.com/d/msgid/konglayer/e69fb7da-02a8-47b2-a47a-134cfe6d84b9%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
It is likely that your client is not sending the appropriate SNI during
the client hello phase. Make sure that the following returns your
configured certificate:
openssl s_client -servername <sni> -connect <kong_ip>:8443
In the absence of a recognized SNI, Kong is serving the default SSL
certificate which, in your case, is the self-signed, auto-generated one
(since you did not specify one in kong.conf).
Regards,
Thibault
On 11/21/17 7:32 AM, geoffroy vibrac wrote:
> Hi,
>
> I try to add a certificat (generated with let's encrypt) with the API. I
> perform a POST to /certificates and it's OK, the GET send me the cert
> and the key I send before.
>
> But https doesn't works... I have an ERR_CERT_AUTHORITY_INVALID because
> nginx send me another certificate (autosigned one)
>
> I didn't update my kong.conf file so ssl_cert & ssl_cert_key are empty.
>
> Have I forgotten something?
>
> Thanks
>
> --
> You received this message because you are subscribed to the Google
> Groups "Kong" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to konglayer+...@googlegroups.com
> <mailto:konglayer+...@googlegroups.com>.
> To post to this group, send email to kong...@googlegroups.com
> <mailto:kong...@googlegroups.com>.
> Visit this group at https://groups.google.com/group/konglayer.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/konglayer/e69fb7da-02a8-47b2-a47a-134cfe6d84b9%40googlegroups.com
> <https://groups.google.com/d/msgid/konglayer/e69fb7da-02a8-47b2-a47a-134cfe6d84b9%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages