-
Notifications
You must be signed in to change notification settings - Fork 10
acme error on docker-kong #39
Comments
Hi @lukasa1993, can you share the full kong.conf or any other environment variables you are passing to the container? |
this is all i don't have custom kong.conf i tried :latest as well same error |
thanks for sharing that. now i realize the error is |
@fffonion what you mean api_url ? i used exact same samples as in readme i have acme-dummy service and rout CA cert is whatever comes in docker img i haven't put it my self |
@lukasa1993 do you have any other config fields other than those when adding the plugin?
|
i changed storage to |
but i changed storage to kong after it wasn't working already |
emm i can't reproduce that error on my side. could you send me the docker image ID/hash you are using? it can be viewed by running |
please also share the |
kong latest 6cd6bc3dc612 6 days ago 146MB {"next":null,"data":[{"created_at":1594839403,"id":"974d46cd-0ae2-4770-a832-2d2d1972ed3e","tags":null,"enabled":true,"protocols":["grpc","grpcs","http","https"],"name":"acme","consumer":null,"service":null,"route":null,"config":{"storage_config":{"redis":{"auth":null,"port":null,"database":null,"host":null},"shm":{"shm_name":"kong"},"vault":{"host":null,"port":null,"token":null,"timeout":null,"https":false,"tls_server_name":null,"kv_path":null,"tls_verify":true},"kong":{},"consul":{"host":null,"port":null,"token":null,"timeout":null,"https":false,"kv_path":null}},"cert_type":"rsa","tos_accepted":true,"storage":"kong","domains":["example.com"],"api_uri":"https:\/\/acme-v02.api.letsencrypt.org\/directory","account_email":"example@gmail.com","renew_threshold_days":14}},{"created_at":1595156003,"id":"fced96c8-dced-46cd-b07c-9338e0efc8f2","tags":null,"enabled":false,"protocols":["grpc","grpcs","http","https"],"name":"basic-auth","consumer":null,"service":null,"route":{"id":"e931b780-fe8b-4c1b-8dda-364554c78321"},"config":{"hide_credentials":true,"anonymous":null}}]} @fffonion i swapped actual email and domain but rest is exact same |
those looks good to me. thanks! local http = require "resty.http"
local hc = http.new()
local a, err = hc:request_uri("https://acme-v02.api.letsencrypt.org/directory")
ngx.say(err)
ngx.say(a and a.body) run
|
@fffonion seems this worked |
didn't meant it solve problem :) it just returned something |
@lukasa1993 yeah that at least verifies the environment is sane. btw you are still seeing that error log right, meaning it's not an ephemeral thing from let's encrypt side. |
@fffonion still there i am trying every day same error |
atm i am using letsencypt cert from certbot on same server and domain without issue |
i still suspect the issue is not related to trusted certificate, as the error message indicates otherwise.
|
@fffonion i use bridge network no dns setup that i have done its all default |
umm it worked just now for no apparent reason :( |
emmm okay this is really weird |
@fffonion issue came back after restart… no idea what fixed it and why its back |
@lukasa1993 I would still put my 5 cents on the network/environment you are running but not plugin itself. Since the let's encrypt API is not likely a self-signed certificate. But it could also be some deeper bug from connection reuse or something. I have a super hacky idea for debugging this 😂 local err = acme_client:init()
if err then
-- add following
local http = require "resty.http"
local httpc = http.new()
local res, err = httpc:request_uri("https://acme-v02.api.letsencrypt.org/directory", {
method = "GET",
ssl_verify = false,
})
ngx.log(ngx.ERR, "response without ssl_verify: ", res and res.body, " error: ", err)
return nil, nil, err
end you can modify the file in host and bind mount into container, try to capture the error log when you saw the error again. |
Closing for inactivity, @lukasa1993 feel free to reopen or create a new issue if you are still seeing issues. |
hard to replicate still chasing when that happens seems random |
hello i am running kong from official docker
:latest
and:2.1
trying to set acme plugin i have dummy service and route and when i am trying to invoke domain withcurl -k
i get this :db is
postgres:9
have thisKONG_LUA_SSL_TRUSTED_CERTIFICATE: /etc/ssl/certs/ca-certificates.crt
in envit seems that it doesn't like
/etc/ssl/certs/ca-certificates.crt
i checked file is there…The text was updated successfully, but these errors were encountered: