香港API网关SSL/TLS证书

Question

我在Kong API网关上遇到了SSL/TLS终端问题。使用curl和失眠的HTTPS请求得到响应，即SSL证书问题:无法获得本地颁发者证书。证书是有效的，并且由著名的颁发机构颁发，因此CA证书已经在客户端已知的CA列表中。在浏览器中，HTTPS请求工作正常。

我正在使用Kong版本2.7.1

docker-compose.yaml以下一种方式配置：

  kong:
    image: kong:2.7.1
    container_name: kong-api-gw
    restart: always
    networks:
      kong-net:
        ipv4_address: 172.16.1.11
    volumes:
      - kong-volume:/etc/kong
      - kong-volume-conf:/usr/local/kong
    environment:
      KONG_DATABASE: postgres
      KONG_PG_HOST: kong-database
      KONG_PG_DATABASE: kong
      KONG_PG_USER: ${KONG_PG_USER}
      KONG_PG_PASSWORD: ${KONG_PG_PASSWORD}
      KONG_PROXY_LISTEN: 0.0.0.0:8000, 0.0.0.0:8443 ssl
      KONG_ADMIN_LISTEN: 0.0.0.0:8001, 0.0.0.0:8444 ssl
      KONG_SSL: "on"
      KONG_SSL_CERT: /etc/kong/ssl/kong.crt
      KONG_SSL_CERT_KEY: /etc/kong/ssl/kong.key
      KONG_PROXY_ACCESS_LOG: /dev/stdout
      KONG_PROXY_ERROR_LOG:  /dev/stdout
    depends_on:
      - kong-database
    healthcheck:
      test: ["CMD", "kong", "health"]
      interval: 10s
      timeout: 10s
      retries: 10
    ports:
      - "8000:8000"
      - "8001:8001"
      - "8443:8443"
      - "8444:8444"
    deploy:
      resources:
        limits:
          cpus: "2"
          memory: "4000M"
    logging:
      driver: "json-file"
      options:
          max-file: "3"
          max-size: "10M"

使用Admin和Konga添加了证书，我尝试了pem和crt，它们都是。

curl -X POST http://127.0.0.1:8001/certificates -H 'Content-Type: multipart/form-data' -F cert=@./kong.pem -F key=@./kong.key -F snis[]=example.com

在docker容器中，我将mycert.crt和mycert.key放入/etc/kong/ssl/，但是没有任何帮助，日志中也没有错误。

从GET请求到https://example.com:8444/certificates的响应(当禁用失眠中的SSL验证时)

{
    "data": [
        {
            "key_alt": null,
            "created_at": 1650871124,
            "cert_alt": null,
            "key": "-----BEGIN RSA PRIVATE KEY-----\cert-key-example\n-----END RSA PRIVATE KEY-----",
            "id": "7ebdca61-4598-4e17-bdf8-2239c41ce09b",
            "tags": null,
            "snis": [
                "example.com"
            ],
            "cert": "-----BEGIN CERTIFICATE-----\cert-example\n-----END CERTIFICATE-----"
        }
    ],
    "next": null
}

卷曲实例

curl -i -v https://example.com:8443/api
*   Trying ip:8443...
* TCP_NODELAY set
* Connected to example.com (ip) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Answer 1

这不是一个问题，我想出来了，孔需要的不仅仅是crt证书。因此，您需要组合根证书和中间证书。这些文件连同您的服务器证书(专门为您的域颁发)一起完成SSL信任链。最后，我使用Kong Admin API来上传证书，使用Konga或POST请求，如：

curl -X POST \
  http://example.com:8001/certificates \
  -H 'Content-Type: multipart/form-data' \
  -F cert=@./kong.ca-bundle \
  -F key=@./kong.key \
  -F snis[]=example.com