Skip to content
This repository was archived by the owner on Jan 10, 2020. It is now read-only.
This repository was archived by the owner on Jan 10, 2020. It is now read-only.

Kong sometimes doesn't pick up SNIs setting when uploading certs from edgexproxy #71

Description

@anonymouse64

Sometimes, especially on slower hardware in the snap distribution of EdgeX, Kong will not pick up the SNIs setting that we use to specify what certificates Kong should serve for which routes.

Kong uses the certificates uploaded to it with the SNIs objects to determine what ssl certs to serve when presented with a given request. The Host parameter that the client request has is used as what SNI to use with the response, meaning that AFAICT we need to define the SNIs for the certificate that is uploaded to Kong from edgexproxy. See:

body := &CertInfo{
Cert: cert,
Key: key,
Snis: []string{config.SecretService.SNIS},
}
lc.Info("Trying to upload cert to proxy server.")
req, err := sling.New().Base(url).Post(CertificatesPath).BodyForm(body).Request()
resp, err := c.Do(req)

From the Admin API docs for Kong @ https://docs.konghq.com/1.0.x/admin-api/#certificate-object specifying the "snis" key in the object we upload to the /certificates endpoint is supposed to be sufficient for this, however sometimes it seems that the SNIs parameter is ignored. This seems to be a common problem with Kong upstream, see for example Kong/kong#4235 and Kong/kong#3610 and Kong/kong#4069

My proposed fix that I have confirmed seems to be more reliable than using the multipart form is to use JSON in the body post

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions