Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kong 3.6: resty.openssl.auxiliary.nginx doesn't support Nginx version 1025003 #12592

Closed
1 task done
LukeMccon opened this issue Feb 20, 2024 · 11 comments
Closed
1 task done

Kong 3.6: resty.openssl.auxiliary.nginx doesn't support Nginx version 1025003 #12592

LukeMccon opened this issue Feb 20, 2024 · 11 comments
Labels
dependencies Pull requests that update a dependency file pending author feedback Waiting for the issue author to get back to a maintainer with findings, more details, etc... stale

Comments

@LukeMccon
Copy link

LukeMccon commented Feb 20, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Kong version ($ kong version)

3.6.0

Current Behavior

When I run the Kong 3.6-ubuntu docker image in the hybrid mode, the control plane's migrations crash giving the following error: resty.openssl.auxiliary.nginx doesn't support Nginx version 1025003

Expected Behavior

Migrations run with no error

Steps To Reproduce

  1. Setup kong hybrid mode in docker compose or similar environment
  2. use kong:3.6-ubuntu docker image
  3. Setup PostgreSQL database with TLS enabled
  4. Execute kong migrations --v up in control plane container

Anything else?

  • I was not encountering this issue when the PostgresSQL database was configured locally to not use TLS. The TLS connection triggers the issue.
  • I followed the upgrade notes and setting ssl_cipher_suite to old didn't resolve the issue
  • With an identical setup using kong:3.5-ubuntu the control plane's migrations work prefectly

Versions:
nginx version: openresty/1.25.3.1
kong: 3.6.0
@samugi
Copy link
Member

samugi commented Feb 21, 2024
edited
Loading

Hello @LukeMccon ,
thank you for reporting this.

I was unable to reproduce the problem you described, here's what I tried:

  1. configured postgres to use ssl, setting the ssl = on, ssl_cert_file and ssl_key_file configuration options
  2. ran kong migrations bootstrap using KONG_ROLE=control_plane from kong:3.5-ubuntu with appropriate pg_ssl and lua_ssl configuration as described in our docs
  3. ran kong migrations --v up using KONG_ROLE=control_plane from kong:3.6-ubuntu (migrations completed successfully)
  4. started kong:3.6-ubuntu successfully

Could you share additional details to help us reproduce the problem, i.e. if you have any scripts, docker-compose, etc. that would be very helpful. Thank you!

@samugi samugi added the pending author feedback Waiting for the issue author to get back to a maintainer with findings, more details, etc... label Feb 21, 2024
@bungle
Copy link
Member

bungle commented Feb 21, 2024

@samugi, I think he is hitting this:
https://github.com/Kong/lua-resty-openssl/blob/master/lib/resty/openssl/auxiliary/nginx.lua#L43-L90

@samugi samugi removed the pending author feedback Waiting for the issue author to get back to a maintainer with findings, more details, etc... label Feb 21, 2024
@fffonion
Copy link
Contributor

Hi @LukeMccon could you share your kong.conf content, the postgres server version (is it higher than 11 and using scram auth?) and if there's any custom plugin that you are using?
And if possible, also the full stack trace for the error you mentioned.

@marco-sciatta
Copy link

marco-sciatta commented Feb 22, 2024
edited
Loading

Same issue here. We have this problem in the waiting-for-db container.
Installed with helm chart without including any custom plugin.

│ Error:                                                                                                                                                │
│ resty.openssl.auxiliary.nginx doesn't support Nginx version 1025003                                                                                   │
│ stack traceback:                                                                                                                                      │
│     [C]: in function 'error'                                                                                                                          │
│     /usr/local/share/lua/5.1/resty/openssl/auxiliary/nginx.lua:89: in main chunk                                                                      │
│     [C]: in function 'require'                                                                                                                        │
│     /usr/local/share/lua/5.1/resty/openssl/ssl.lua:8: in main chunk                                                                                   │
│     [C]: in function 'require'                                                                                                                        │
│     /usr/local/share/lua/5.1/pgmoon/init.lua:397: in function 'auth'                                                                                  │
│     /usr/local/share/lua/5.1/pgmoon/init.lua:268: in function 'connect'                                                                               │
│     .../share/lua/5.1/kong/db/strategies/postgres/connector.lua:215: in function 'connect'                                                            │
│     .../share/lua/5.1/kong/db/strategies/postgres/connector.lua:546: in function 'query'                                                              │
│     .../share/lua/5.1/kong/db/strategies/postgres/connector.lua:296: in function 'init'                                                               │
│     /usr/local/share/lua/5.1/kong/db/init.lua:144: in function 'init_connector'                                                                       │
│     /usr/local/share/lua/5.1/kong/cmd/start.lua:68: in function 'cmd_exec'                                                                            │
│     /usr/local/share/lua/5.1/kong/cmd/init.lua:31: in function </usr/local/share/lua/5.1/kong/cmd/init.lua:31>                                        │
│     [C]: in function 'xpcall'                                                                                                                         │
│     /usr/local/share/lua/5.1/kong/cmd/init.lua:31: in function </usr/local/share/lua/5.1/kong/cmd/init.lua:15>                                        │
│     (command line -e):7: in function 'inline_gen'                                                                                                     │
│     init_worker_by_lua(nginx.conf:204):44: in function <init_worker_by_lua(nginx.conf:204):43>                                                        │
│     [C]: in function 'xpcall'                                                                                                                         │
│     init_worker_by_lua(nginx.conf:204):52: in function <init_worker_by_lua(nginx.conf:204):50>                                                        ```

@duonghanu
Copy link

I got the same issue when upgrade from Kong OSS 3.5.0 to 3.6.0 when run migration db process

kong migrations up --vv
Error: resty.openssl.auxiliary.nginx doesn't support Nginx version 1025003 stack traceback: [C]: in function 'error' /usr/local/share/lua/5.1/resty/openssl/auxiliary/nginx.lua:89: in main chunk [C]: in function 'require' /usr/local/share/lua/5.1/resty/openssl/ssl.lua:8: in main chunk [C]: in function 'require' /usr/local/share/lua/5.1/pgmoon/init.lua:397: in function 'auth' /usr/local/share/lua/5.1/pgmoon/init.lua:268: in function 'connect' .../share/lua/5.1/kong/db/strategies/postgres/connector.lua:215: in function 'connect' .../share/lua/5.1/kong/db/strategies/postgres/connector.lua:546: in function 'query' .../share/lua/5.1/kong/db/strategies/postgres/connector.lua:296: in function 'init' /usr/local/share/lua/5.1/kong/db/init.lua:144: in function 'init_connector' /usr/local/share/lua/5.1/kong/cmd/migrations.lua:101: in function 'cmd_exec' /usr/local/share/lua/5.1/kong/cmd/init.lua:31: in function </usr/local/share/lua/5.1/kong/cmd/init.lua:31> [C]: in function 'xpcall' /usr/local/share/lua/5.1/kong/cmd/init.lua:31: in function </usr/local/share/lua/5.1/kong/cmd/init.lua:15> (command line -e):7: in function 'inline_gen' init_worker_by_lua(nginx.conf:132):44: in function <init_worker_by_lua(nginx.conf:132):43> [C]: in function 'xpcall' init_worker_by_lua(nginx.conf:132):52: in function <init_worker_by_lua(nginx.conf:132):50>

@fffonion fffonion mentioned this issue Feb 29, 2024
Merged
3 tasks
@team-gateway-bot team-gateway-bot mentioned this issue Feb 29, 2024
Merged
3 tasks
@chronolaw chronolaw added the dependencies Pull requests that update a dependency file label Mar 5, 2024
@chronolaw
Copy link
Contributor

Hi @LukeMccon , I think that we have fixed this issue in #12665, could you try it again? thanks.

@chronolaw chronolaw added the pending author feedback Waiting for the issue author to get back to a maintainer with findings, more details, etc... label Apr 2, 2024
@github-actions GitHub Actions
Copy link
Contributor

This issue is marked as stale because it has been open for 14 days with no activity.

@github-actions github-actions bot added the stale label Apr 17, 2024
@github-actions GitHub Actions
Copy link
Contributor

Dear contributor,

We are automatically closing this issue because it has not seen any activity for three weeks.
We're sorry that your issue could not be resolved. If any new information comes up that could
help resolving it, please feel free to reopen it.

Your contribution is greatly appreciated!

Please have a look
our pledge to the community
for more information.

Sincerely,
Your Kong Gateway team

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Apr 24, 2024
@Water-Melon
Copy link
Contributor

@LukeMccon This issue has been fixed in #12905 and will be released in the next version.

@LukeMccon
Copy link
Author

Thank you @Water-Melon @chronolaw and team, confirmed that this issue is fixed in OSS 3.6.1

This was referenced May 30, 2024
Closed
Closed
@duonghanu
Copy link

duonghanu commented Sep 7, 2024
edited
Loading

I got the following error when upgrade Kong OSS 3.5.0 -> 3.6.1. I'm using AWS RDS Postgres 15, Ubuntu 22.04

sudo kong migrations up --v
2024/09/07 16:45:41 [warn] ulimit is currently set to "1024". For better performance set it to at least "4096" using "ulimit -n"
2024/09/07 16:45:41 [verbose] Kong: 3.6.1
2024/09/07 16:45:41 [verbose] reading config file at /etc/kong/kong.conf
2024/09/07 16:45:41 [verbose] prefix in use: /usr/local/kong
2024/09/07 16:45:41 [verbose] preparing nginx prefix directory at /usr/local/kong
2024/09/07 16:45:41 [verbose] SSL enabled on proxy, no custom certificate set: using default certificates
2024/09/07 16:45:41 [verbose] proxy SSL certificate found at /usr/local/kong/ssl/kong-default.crt
2024/09/07 16:45:41 [verbose] proxy SSL certificate found at /usr/local/kong/ssl/kong-default-ecdsa.crt
2024/09/07 16:45:41 [verbose] SSL enabled on admin, no custom certificate set: using default certificates
2024/09/07 16:45:41 [verbose] admin SSL certificate found at /usr/local/kong/ssl/admin-kong-default.crt
2024/09/07 16:45:41 [verbose] admin SSL certificate found at /usr/local/kong/ssl/admin-kong-default-ecdsa.crt
2024/09/07 16:45:41 [verbose] SSL enabled on admin_gui, no custom certificate set: using default certificates
2024/09/07 16:45:41 [verbose] admin_gui SSL certificate found at /usr/local/kong/ssl/admin-gui-kong-default.crt
2024/09/07 16:45:41 [verbose] admin_gui SSL certificate found at /usr/local/kong/ssl/admin-gui-kong-default-ecdsa.crt
2024/09/07 16:45:41 [verbose] generating trusted certs combined file in /usr/local/kong/.ca_combined
2024/09/07 16:45:41 [warn] ulimit is currently set to "1024". For better performance set it to at least "4096" using "ulimit -n"
2024/09/07 16:45:41 [warn] 2943#0: *2 [lua] nginx.lua:300: get_ngx_ssl_from_socket_ctx(): note resty.openssl.auxiliary.nginx is using plain FFI and it's only intended to be used in development, consider using lua-resty-openssl.aux-module in production., context: ngx.timer
Error:
/usr/local/share/lua/5.1/pgmoon/init.lua:398: attempt to index local 'ssl' (a nil value)
stack traceback:
        /usr/local/share/lua/5.1/pgmoon/init.lua:398: in function 'auth'
        /usr/local/share/lua/5.1/pgmoon/init.lua:268: in function 'connect'
        .../share/lua/5.1/kong/db/strategies/postgres/connector.lua:215: in function 'connect'
        .../share/lua/5.1/kong/db/strategies/postgres/connector.lua:546: in function 'query'
        .../share/lua/5.1/kong/db/strategies/postgres/connector.lua:296: in function 'init'
        /usr/local/share/lua/5.1/kong/db/init.lua:144: in function 'init_connector'
        /usr/local/share/lua/5.1/kong/cmd/migrations.lua:101: in function 'cmd_exec'
        /usr/local/share/lua/5.1/kong/cmd/init.lua:31: in function </usr/local/share/lua/5.1/kong/cmd/init.lua:31>
        [C]: in function 'xpcall'
        /usr/local/share/lua/5.1/kong/cmd/init.lua:31: in function </usr/local/share/lua/5.1/kong/cmd/init.lua:15>
        (command line -e):7: in function 'inline_gen'
        init_worker_by_lua(nginx.conf:127):44: in function <init_worker_by_lua(nginx.conf:127):43>
        [C]: in function 'xpcall'
        init_worker_by_lua(nginx.conf:127):52: in function <init_worker_by_lua(nginx.conf:127):50>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file pending author feedback Waiting for the issue author to get back to a maintainer with findings, more details, etc... stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@bungle @fffonion @samugi @chronolaw @LukeMccon @Water-Melon @duonghanu @marco-sciatta