fix: correct the validation for ssl_trusted_certificate (#3832)

Signed-off-by: spacewander <[email protected]>
apache · Mar 16, 2021 · 0c1b208 · 0c1b208
1 parent 7047932
commit 0c1b208
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 3 deletions.
diff --git a/apisix/cli/ops.lua b/apisix/cli/ops.lua
@@ -22,6 +22,7 @@ local ngx_tpl = require("apisix.cli.ngx_tpl")
 local profile = require("apisix.core.profile")
 local template = require("resty.template")
 local argparse = require("argparse")
+local pl_path = require("pl.path")
 
 local stderr = io.stderr
 local ipairs = ipairs
@@ -260,10 +261,18 @@ Please modify "admin_key" in conf/config.yaml .
     end
 
     if yaml_conf.apisix.ssl.ssl_trusted_certificate ~= nil then
-        local ok, err = util.is_file_exist(yaml_conf.apisix.ssl.ssl_trusted_certificate)
+        local cert_path = yaml_conf.apisix.ssl.ssl_trusted_certificate
+        -- During validation, the path is relative to PWD
+        -- When Nginx starts, the path is relative to conf
+        -- Therefore we need to check the absolute version instead
+        cert_path = pl_path.abspath(cert_path)
+
+        local ok, err = util.is_file_exist(cert_path)
         if not ok then
             util.die(err, "\n")
         end
+
+        yaml_conf.apisix.ssl.ssl_trusted_certificate = cert_path
     end
 
     local admin_api_mtls = yaml_conf.apisix.admin_api_mtls

diff --git a/bin/apisix b/bin/apisix
@@ -44,11 +44,11 @@ if [[ -e $OR_EXEC && "$OR_VER" =~ "1.19" ]]; then
 
     # use the luajit of openresty
     echo "$LUAJIT_BIN $APISIX_LUA $*"
-    $LUAJIT_BIN $APISIX_LUA $*
+    exec $LUAJIT_BIN $APISIX_LUA $*
 elif [[ "$LUA_VERSION" =~ "Lua 5.1" ]]; then
     # OpenResty version is not 1.19, use Lua 5.1 by default
     echo "lua $APISIX_LUA $*"
-    lua $APISIX_LUA $*
+    exec lua $APISIX_LUA $*
 else
     echo "ERROR: Please check the version of OpenResty and Lua, OpenResty 1.19 and Lua 5.1 are recommended before install Apache APISIX."
 fi
diff --git a/rockspec/apisix-master-0.rockspec b/rockspec/apisix-master-0.rockspec
@@ -65,6 +65,7 @@ dependencies = {
     "luasocket = 3.0rc1-2",
     "luasec = 0.9-1",
     "lua-resty-consul = 0.3-2",
+    "penlight = 1.9.2-1",
 }
 
 build = {

diff --git a/t/cli/test_validate_config.sh b/t/cli/test_validate_config.sh
@@ -33,3 +33,17 @@ if ! echo "$out" | grep 'dns_resolver_valid should be a number'; then
 fi
 
 echo "passed: dns_resolver_valid should be a number"
+
+echo '
+apisix:
+  ssl:
+    ssl_trusted_certificate: t/certs/mtls_ca.crt
+' > conf/config.yaml
+
+out=$(make run 2>&1)
+if echo "$out" | grep 'no such file'; then
+    echo "failed: find the certificate correctly"
+    exit 1
+fi
+
+echo "passed: find the certificate correctly"