Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssl api request error #10063

Closed
githubxubin opened this issue Aug 21, 2023 · 13 comments
Closed

ssl api request error #10063

githubxubin opened this issue Aug 21, 2023 · 13 comments
Assignees
@jiangfucheng
Labels
bug Something isn't working

Comments

@githubxubin
Copy link

Description

When I used the ssl API to add a certificate, I couldn't get the correct expiration time

my step:
1.curl api interface:

curl http://127.0.0.1:9080/apisix/admin/ssl -H "X-API-KEY: edd1c9f034335f136f87ad84b625c8f1" -X POST -i -d '
{
   "cert": "-----BEGIN CERTIFICATE-----\nMIIDLjCCAhagAwIBAgIIXBaJLvc+UdowDQYJKoZIhvcNAQELBQAwJzELMAkGA1UE\nBhMCQ04xGDAWBgNVBAMTD3lhbmdjb25nLmNvbS5jbjAeFw0yMzA0MTAwNjU0MjJa\nFw0yNDA0MTAwNjU0MjJaMCcxCzAJBgNVBAYTAkNOMRgwFgYDVQQDEw95YW5nY29u\nZy5jb20uY24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXl25NtBB7\noPXgwPDaTNN8FvkcUMNXUovNF7mxtOpfk2yi7+zZugqvK46nqEVjZ0b0ygtZUhTR\nD6bacvZfLNS09CBl3ukOGSRWIfmQzdTg7TQfiBNh10jIsQRQY+XmR1rHJGwHPL0V\nx17QznDBE1dGv2KxeK+OXw6Kb7/mNlfBBh+BVLPrpe384qqqM8yRHtt+PIPtG+tn\nzI37zigM60/cA3riANY8YkYCxBaGcQj99s+uqmZzb2OwURZ4LurZryxG0Ih7D6jv\niRyFhX8usyvd63RhbUNiHI/PQ5UCWzSx4+5Rsj18R7DS0ekpaPRYxh39px5wDqay\newEinSixdg39AgMBAAGjXjBcMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH/MB0GA1UdDgQWBBSFbdS2nxOjbqSDcVvQNaiAEmo88zAaBgNVHREEEzARgg95\nYW5nY29uZy5jb20uY24wDQYJKoZIhvcNAQELBQADggEBABkclp6cfSFJT7vI6Ynx\nOEwPnF5NvKLbIooEfxgVgdjgK5rTxuS+p9P17zrJGRC0VDCQ6K/ZwX0c4sd400o+\nUiP4G5VzVc3RWR33KIjPepwPSKl23yb3tI2fQWEat+9ZA5kCKCRSG7hE77C9n5uK\niSK9h2V4pX989ZKLqlxjnFVbo0i4iqR5yadqp6fDVXfyW488PdTMm1k4+M0sxscc\nWaZw4EjB+TXfzu7DT0PqVFTb1THkzofmfXJwx3FUxX8wKkDcQtURZ9d+85OocI2W\nKOhFkNSO4GwtCWWcNpz6jHjKKVQ/aEzchI2Y4qHr1au1n4uUsXN7NNwLpt7gQ8aD\n7Ys=\n-----END CERTIFICATE-----",
"key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEA15duTbQQe6D14MDw2kzTfBb5HFDDV1KLzRe5sbTqX5Nsou/s\n2boKryuOp6hFY2dG9MoLWVIU0Q+m2nL2XyzUtPQgZd7pDhkkViH5kM3U4O00H4gT\nYddIyLEEUGPl5kdaxyRsBzy9Fcde0M5wwRNXRr9isXivjl8Oim+/5jZXwQYfgVSz\n66Xt/OKqqjPMkR7bfjyD7RvrZ8yN+84oDOtP3AN64gDWPGJGAsQWhnEI/fbPrqpm\nc29jsFEWeC7q2a8sRtCIew+o74kchYV/LrMr3et0YW1DYhyPz0OVAls0sePuUbI9\nfEew0tHpKWj0WMYd/acecA6msnsBIp0osXYN/QIDAQABAoIBAFyQLdG63+DUqPzI\nmiCAH8UFcAtSOayCSnfSGe5MiNxkRZ5neL+6et/eya7+NlyJeROcs+azsTBZkf/0\noAcZDnJq5oYWgOWGse0xRR+A4Ed6UIjBOeEmN5/DMOD7IzgNptIdtywcTerN4M2x\n9QNQtIYxocQk1us/sNSLSk8jQeYjWyI3oOSBtxYpnu8uOiS/uikOhFqWu2Hf3Am9\nTYBTM+Qc7ciUdB9csxysgEJIwwFrQBwPBej+VqoxoWBR7LlqY9ebys6rlv6+YQM5\nwUkd9H5qMGhuXj9SppkVjy79bCd4W64dP9gvGJdkj/hVVH7NuXIzybwGVfCjt1fF\nOVGKDFkCgYEA7KfLOQIqfDUTj6uz6OvbDcvMy3PZPMnNItkzUny+DvA7gu0nuMLv\nGcWxMRp4zIdae7Sp5+H6tedYri5UrUuChGWnO4np9XsLDf67fX/S5U5SUrYC4z74\nljb8fdgNgrUfdW+4q1Yb7c3ToJw8g1UIizfnsuqqU1gT+72gz2mzw4MCgYEA6Tbb\niL1jP1ebF1j+/qO80SpS6/Cweiuyd+BEoNpIZm3kvMmTZlVAIO0kZGxFDFCiGbga\nkdHGyE9dEl4FIx9eX8THYkge5hLJECGhXsQeJUuTPyjjaM0n9evxDqT+bEUu2pv8\nBxmkvXvEOcSkN+oLtG+PYg+Sap3zANmipo1KsH8CgYAG7B2QrFSLz42j7TTVAlkk\n/SofZWMcWRbMByhuKEHy8+n5uXApAmK2EUdOlWSlLuxho/Y4Vy7bNUotxiMp8oR9\n1O9gWXdje9bl8OaRFDUaCgF0c+h/ty7UTgVytOgoQ54I9Fylfl5QxW2ETC2k9c7L\nK7Z2UFDtIS1sdq6GgqQEewKBgATvh0fmkjIl/X9J/+ONvZJDrguWRXXgdN96nJk2\n5W9dhgjEz1zMExZfTnTdobx3/GZE8jMB2I4mt9aKrNsob8vhE0MuOZEu9phjzdF+\nnxC0/8HHcMCoDt9yheCEd2n9MNepk3TnAwiLlQSP99XDG0pPTh6KK9Qb0afD82BI\n/zqrAoGAbD6v/oWejG4BZItgSwiwfoO1cZO2w6cdfvRbYNODNk9rO1BAGEL6MIiW\n6W7u8c5D49oIPUQJVQcl9JoOLKTqAEJJY5xoSfB6MNVcBpHpyjvj6+bdY7wXjHpT\nkZ7GqXXlu9uEweO9GsoUEgkQ0Fb48JSruqTzyDzl9GFYGIrqtV8=\n-----END RSA PRIVATE KEY-----\n",
"snis":["yangcong.com.cn"]
}'

get the response:

HTTP/1.1 100 Continue

HTTP/1.1 201 Created
Date: Mon, 21 Aug 2023 03:47:20 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Server: APISIX/2.15.0
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Access-Control-Expose-Headers: *
Access-Control-Max-Age: 3600

{"node":{"key":"\/apisix\/ssl\/00000000000000000490","value":{"id":"00000000000000000490","create_time":1692589640,"status":1,"snis":["yangcong.com.cn"],"update_time":1692589640,"cert":"-----BEGIN CERTIFICATE-----\nMIIDLjCCAhagAwIBAgIIXBaJLvc+UdowDQYJKoZIhvcNAQELBQAwJzELMAkGA1UE\nBhMCQ04xGDAWBgNVBAMTD3lhbmdjb25nLmNvbS5jbjAeFw0yMzA0MTAwNjU0MjJa\nFw0yNDA0MTAwNjU0MjJaMCcxCzAJBgNVBAYTAkNOMRgwFgYDVQQDEw95YW5nY29u\nZy5jb20uY24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXl25NtBB7\noPXgwPDaTNN8FvkcUMNXUovNF7mxtOpfk2yi7+zZugqvK46nqEVjZ0b0ygtZUhTR\nD6bacvZfLNS09CBl3ukOGSRWIfmQzdTg7TQfiBNh10jIsQRQY+XmR1rHJGwHPL0V\nx17QznDBE1dGv2KxeK+OXw6Kb7\/mNlfBBh+BVLPrpe384qqqM8yRHtt+PIPtG+tn\nzI37zigM60\/cA3riANY8YkYCxBaGcQj99s+uqmZzb2OwURZ4LurZryxG0Ih7D6jv\niRyFhX8usyvd63RhbUNiHI\/PQ5UCWzSx4+5Rsj18R7DS0ekpaPRYxh39px5wDqay\newEinSixdg39AgMBAAGjXjBcMA4GA1UdDwEB\/wQEAwIBhjAPBgNVHRMBAf8EBTAD\nAQH\/MB0GA1UdDgQWBBSFbdS2nxOjbqSDcVvQNaiAEmo88zAaBgNVHREEEzARgg95\nYW5nY29uZy5jb20uY24wDQYJKoZIhvcNAQELBQADggEBABkclp6cfSFJT7vI6Ynx\nOEwPnF5NvKLbIooEfxgVgdjgK5rTxuS+p9P17zrJGRC0VDCQ6K\/ZwX0c4sd400o+\nUiP4G5VzVc3RWR33KIjPepwPSKl23yb3tI2fQWEat+9ZA5kCKCRSG7hE77C9n5uK\niSK9h2V4pX989ZKLqlxjnFVbo0i4iqR5yadqp6fDVXfyW488PdTMm1k4+M0sxscc\nWaZw4EjB+TXfzu7DT0PqVFTb1THkzofmfXJwx3FUxX8wKkDcQtURZ9d+85OocI2W\nKOhFkNSO4GwtCWWcNpz6jHjKKVQ\/aEzchI2Y4qHr1au1n4uUsXN7NNwLpt7gQ8aD\n7Ys=\n-----END CERTIFICATE-----","type":"server","key":"HrMHUvE9Esvn7GnZ+vAynaIg\/8wlB3r0zm0htmnwofbFKYxaZb9yl+TYGZtX2Fwmjv6Hb5hqFU9KYvKZFSOEiRRyGn6GUjRVPF+aDoiCWHBwBeZ9r8jMx1VfT8OgaOCoRnjfOqgK3CaRHsRJ+qsXAOwAKWDTC0y\/kUl2beMeHqaLPQHDAHOkNWhbC\/3rJvoHzOSgh6vrVwF2AZipUii+fnIhVuhX0f3esApZe1yYFRNsVRjwNg9GpJwlzyKvcGQ+hmhs9jVdrDlh79dWlpEVhM118Tiriy+lclG95wZF0E40JaRAHYPNeGyxG5in9yLK4N5zLGQJvzCyJP2OF2+dqj2Fu55h2CWgNeJmZp23o\/Z5YlRfYrnByn+4wmmks2+GCo1t5JZ\/QkWDOnLodW1VcetvLDsTMfs54a\/KIPKHR+cFB2odLgvg1XRHxz29GAtFEzEYFduXaei0D07nnrtlOQ34HTs0H\/hJ77Nwlx38vb96SHejRtk9TY7i7RKUkMTaEhQPG6IcYHAA\/23zAKar7A90RMD5hhrDRPkETEQAY7QFGUe0jjZa603f2kr6\/q8sx1XvdrbvmSfPapr6QgOTFzAFyryPkA4jkX3eH32d5a++HBTX8NyViU8VF3vEHBKhziZX32siZP0HrwlfA1aoKsiAJX+3UHzNyLwqhr7wO95yDuXSko0AZsdIlvF9+Wv+uhd81cD9sFtcbZUe3LFHtmTrkfjODqNAZqon\/hlowBSv4ML\/Ju99ZklKzge5EuCPb1FoH8JS93EsvSWJYiZuVHNCE7A8LPjZfPCx6ijS\/sYqIEgWEcqt029bY\/wR7sX0p2OaiZkofYt7LLcBhSFYoJ16\/927eW3nTsrwWEBWDUeFS2dbprB6R80qNAQOvS1yPheY8L7leFNIULo6pC8vAM6ffeE6t7y58YWBkehuCs1wYKIiJNhK6gCSaLchExR0gxHrSNvQ7pBLa5QITeWZ9XUucdCLJsCGV7LvRRWFfHPZxs4fb3TS9BvEh4ru9r38JeYko2rlWaKwmibJhQMBqDgR\/nix0oCtMjsOs5ieugFMjvMy15+ijqzT129ailXQmo05Cito3DJSLdWLDAFF5Uaa\/SZchSJBqN83eAtxVKMXmMR5S5Tdk5JAyNdMCJK1MUCo3uzRt+pm2vNpSSAysFnNm\/CNtW9HTW+hlhCBAC+1w8Uwkswryjus51yD8I+ujbubFdwNltBPCdV4w3OEAcaJQmsLoP\/vDlU5eayD+gVdLPM87L4TKpH9X2TcgK5EExswJxHpkjy8XpfG7+1qkaoMAXHHaej+E1mRYxJ8SUA68pXt3NlL1c3HSczPGBX5Q4DIvY9O87N57RpSQwRC1HXIcrQlHlSr+MIRvhIBlEeDiApwZ+y6+zP4UFmMzETogrj11ffLHgHi0k34kjrVDBsHy2H9\/QoUopiuEUF722tiQndIcIYjraMENqlxgO1CRmVj17Ja1Q\/PgQAgaqdS4FWbwuzsUhmMVuSxODzfD0\/n1BH2EKUv14o4laBeM1Rmm4VYQY\/OXYuw\/ZfqPk6K4bzKn+t5az8D9OQ4ik3NJvGr1JPu\/UGksqGHTaLm2fzeshhJrDaPP7b+jKyr7+FjiYlEAlswwJB+28luhP9\/rUJEPGcRyvsyj1tsnETOpgVBYaB78PdY28+vnAH1r3Lymeyl7r70ndhD4TXjRcD9KCuL2wWD7WOdIGxBtGedt2pTC3HNNwjQoYs2E21UfO4c6LBm7VCXQbLf2jxC4THI+vTA52I99Vr8Bs88owlDbpBssd\/oolXpk0sjjNy9WIaD1kOXnOgrRAeXPg8FzHeFypxh3r3WcyikAMi0U+tInZ\/u5gpVrZbH03\/q3iDr\/KPwLzZxZRGn7nDomNluYNLfRsNfefmxZGWUaZUyrnqYthVIAK+\/NAJBbCyTfzjty3xuDOhi\/PcmCrKuHDVet1ugmiZT8JeFMyMKVO7ZDct5Xvw2Z9YdNgeNqpE73OIhybXmMJfnP5HIIMfkYUXmjce637P3xS8BWxO29pr\/vUJDJVcLbzb3UBjtduBhw4wOJnogywsQhQMvKVAaPdUwpYMBUb\/HZjEi7Rld9wDN36VkC0xk1JdreCYjEqd0gjdBCQPqFbhiI6fA8Bv099hWvMucnhEJ5b5PQMZ5aHxxPSD9nr+swVNBc0xxBY8w\/5qO6rjGUKhu\/UmpYX8JopELCIkTkqCNuwq9fOy7DQFl\/YrLFiuU"}},"action":"create"}

2.back the board page :
image

3.When I uploaded the same certificate on the front-end page, it was displayed normally

Environment

  • APISIX version (run apisix version):2.15
  • Operating system (run uname -a):
  • OpenResty / Nginx version (run openresty -V or nginx -V):
  • etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info):
  • APISIX Dashboard version, if relevant:
  • Plugin runner version, for issues related to plugin runners:
  • LuaRocks version, for installation issues (run luarocks --version):
@Revolyssup
Copy link
Contributor

Revolyssup commented Aug 21, 2023
edited
Loading

It looks like the certificate might be invalid. Can you use something like openssl x509 -in certificate.crt -noout -checkend 0 to check the certificate?

@githubxubin
Copy link
Author

githubxubin commented Aug 21, 2023
edited
Loading

The certificate is valid and my uploads on the front-end page are displayed normally

image
image

@Revolyssup
Copy link
Contributor

Looks like this is an issue with APISIX-dashboard.

@githubxubin
Copy link
Author

Looks like this is an issue with APISIX-dashboard.
Do I need to mention bugs in APISIX-dashboard?

@githubxubin
Copy link
Author

Looks like this is an issue with APISIX-dashboard.

But this is an apisix API problem.

@Revolyssup
Copy link
Contributor

@githubxubin Can you show the json response when you GET this SSL certificate to see all the data that was stored in etcd?

@githubxubin
Copy link
Author

@githubxubin Can you show the json response when you GET this SSL certificate to see all the data that was stored in etcd?

You can repeat this with the API on version 2.15 of Apisix,tks

@jiangfucheng
Copy link
Member

apisix/apisix/schema_def.lua

Lines 802 to 803 in 7fb05f8

validity_end = timestamp_def,
validity_start = timestamp_def,

This is indeed a bug, APISIX Dashboard will parse the certificate and set validity_start and validity_end fields to the configuration when user creates ssl resource, but APISIX will not do this when user uses AdminAPI to create ssl resource.

Currently, APISIX support set multiple cert and key in one ssl resource, so it's unreasonable to still use these two filed to represent the expiration time of the entire ssl resource. There are two solutions:

  1. Remove validaity_start and validaity_end fields in ssl schema, because this field does not require user to fill it out, it only displays some information about ssl.
  2. Add validaity_starts and validaity_ends schema for ssl to represent the expiration time of every certificate, and we need to fill out the value when user creates ssl resource. Notice that we can keep validaity_start and validaity_end field to represent the expiration time of cert and key, we fill out validaity_starts and validaity_ends fields only user use certs and keys fields to create ssl resource, it can keep compatibility with old version and APISIX Dashboard logic.

And, the Invalid date in Dashboard is harmless, we can just ignore it.

@Revolyssup
Copy link
Contributor

@jiangfucheng The second way looks better to me. Just to make sure I understand correctly, when you say "Add validaity_starts and validaity_ends schema for ssl to represent the expiration time of every certificate", will each cert have it's own validity fields?

@Revolyssup Revolyssup added the bug Something isn't working label Aug 23, 2023
@Revolyssup Revolyssup moved this to 📋 Backlog in Apache APISIX backlog Aug 23, 2023
@jiangfucheng
Copy link
Member

@jiangfucheng The second way looks better to me. Just to make sure I understand correctly, when you say "Add validaity_starts and validaity_ends schema for ssl to represent the expiration time of every certificate", will each cert have it's own validity fields?

Yes.

@Revolyssup
Copy link
Contributor

@jiangfucheng Would you like to take this up?

@jiangfucheng
Copy link
Member

@jiangfucheng Would you like to take this up?

Sure

@jiangfucheng jiangfucheng self-assigned this Aug 23, 2023
@jiangfucheng
Copy link
Member

After this PR merged, I think this issue should be closed.

@github-project-automation github-project-automation bot moved this from 📋 Backlog to ✅ Done in Apache APISIX backlog Oct 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jiangfucheng jiangfucheng

Labels
bug Something isn't working
Projects
Apache APISIX backlog
Archived in project
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jiangfucheng @githubxubin @Revolyssup