Missing *.crt files in ssl/ folder
proton1k opened this issue · 2 comments
Hi,
After installation on Mac M1 (Apple chip) from homebrew, I ran into the following:
❯ kong start -v
2022/06/23 16:47:11 [verbose] Kong: 2.8.1
2022/06/23 16:47:11 [verbose] no config file found at /etc/kong/kong.conf
2022/06/23 16:47:11 [verbose] reading config file at /etc/kong.conf
2022/06/23 16:47:11 [verbose] prefix in use: /opt/homebrew/opt/kong
2022/06/23 16:47:11 [verbose] preparing nginx prefix directory at /opt/homebrew/opt/kong
2022/06/23 16:47:11 [verbose] SSL enabled on
2022/06/23 16:47:11 [verbose] proxy SSL certificate found at /opt/homebrew/opt/kong/ssl/kong-default.crt
2022/06/23 16:47:11 [verbose] proxy SSL certificate found at /opt/homebrew/opt/kong/ssl/kong-default-ecdsa.crt
2022/06/23 16:47:11 [verbose] SSL enabled on
2022/06/23 16:47:11 [verbose] admin SSL certificate found at /opt/homebrew/opt/kong/ssl/admin-kong-default.crt
2022/06/23 16:47:11 [verbose] admin SSL certificate found at /opt/homebrew/opt/kong/ssl/admin-kong-default-ecdsa.crt
2022/06/23 16:47:11 [warn] ulimit is currently set to "256". For better performance set it to at least "4096" using "ulimit -n"
Error:
/opt/homebrew/share/lua/5.1/kong/cmd/start.lua:24: nginx configuration is invalid (exit code 1):
nginx: [emerg] cannot load certificate "/opt/homebrew/opt/kong/ssl/kong-default.crt": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/opt/homebrew/opt/kong/ssl/kong-default.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /opt/homebrew/opt/kong/nginx.conf test failedI see contradicting lines here:
....
2022/06/23 16:47:11 [verbose] proxy SSL certificate found at /opt/homebrew/opt/kong/ssl/kong-default.crt
2022/06/23 16:47:11 [verbose] proxy SSL certificate found at /opt/homebrew/opt/kong/ssl/kong-default-ecdsa.crt
2022/06/23 16:47:11 [verbose] SSL enabled on
2022/06/23 16:47:11 [verbose] admin SSL certificate found at /opt/homebrew/opt/kong/ssl/admin-kong-default.crt
2022/06/23 16:47:11 [verbose] admin SSL certificate found at /opt/homebrew/opt/kong/ssl/admin-kong-default-ecdsa.crt
...and the
...
No such file or directory:fopen('/opt/homebrew/opt/kong/ssl/kong-default.crt','r')
...From the folder where homebrew installs modules:
❯ ls -la /opt/homebrew/opt/kong/ssl
total 8
drwxr-xr-x 7 user admin 224B Jun 23 16:39 .
drwxr-xr-x 17 user admin 544B Jun 23 16:39 ..
-rwxr--r-- 1 user admin 0B Jun 23 16:30 admin-kong-default-ecdsa.key
-rwxr--r-- 1 user admin 0B Jun 23 16:28 admin-kong-default.key
-rw-r--r-- 1 user admin 428B Jun 23 16:39 ffdhe2048.pem
-rwxr--r-- 1 user admin 0B Jun 23 16:28 kong-default-ecdsa.key
-rwxr--r-- 1 user admin 0B Jun 23 16:25 kong-default.key
So, what's wrong with the "proxy SSL certificate found at..." ?
I used an official tutorial here: https://docs.konghq.com/gateway/latest/install-and-run/macos/
+1 on this. Getting the same issue. Tried generating the certs manually which got me past that step, but then get stuck with .kong_env which seems to have some permissions issue. When permissions provided (chmod 777 the both just the file and the entire dir) and kong started, it overwrites said file (or resets permission at least). Tagging @kikito since it seems like you've had the last human commits in this repo.
kong % chmod 777 .kong_env
kong % ls -la .kong_env
-rwxrwxrwx 1 %%user%% admin 0 Jul 22 02:50 .kong_env
kong % kong start --v -c /etc/kong/kong.conf
2022/07/22 02:51:18 [verbose] Kong: 2.8.1
2022/07/22 02:51:18 [verbose] reading config file at /etc/kong/kong.conf
2022/07/22 02:51:18 [verbose] prefix in use: /opt/homebrew/opt/kong
2022/07/22 02:51:18 [verbose] preparing nginx prefix directory at /opt/homebrew/opt/kong
2022/07/22 02:51:18 [verbose] SSL enabled on
2022/07/22 02:51:18 [verbose] proxy SSL certificate found at /opt/homebrew/opt/kong/ssl/kong-default.crt
2022/07/22 02:51:18 [verbose] proxy SSL certificate found at /opt/homebrew/opt/kong/ssl/kong-default-ecdsa.crt
2022/07/22 02:51:18 [verbose] SSL enabled on
2022/07/22 02:51:18 [verbose] admin SSL certificate found at /opt/homebrew/opt/kong/ssl/admin-kong-default.crt
2022/07/22 02:51:18 [verbose] admin SSL certificate found at /opt/homebrew/opt/kong/ssl/admin-kong-default-ecdsa.crt
2022/07/22 02:51:18 [warn] ulimit is currently set to "256". For better performance set it to at least "4096" using "ulimit -n"
Error:
/opt/homebrew/share/lua/5.1/kong/cmd/start.lua:24: unable to open env path /opt/homebrew/opt/kong/.kong_env (/opt/homebrew/opt/kong/.kong_env: Permission denied)
stack traceback:
[C]: in function 'assert'
/opt/homebrew/share/lua/5.1/kong/cmd/start.lua:24: in function 'cmd_exec'
/opt/homebrew/share/lua/5.1/kong/cmd/init.lua:89: in function </opt/homebrew/share/lua/5.1/kong/cmd/init.lua:89>
[C]: in function 'xpcall'
/opt/homebrew/share/lua/5.1/kong/cmd/init.lua:89: in function </opt/homebrew/share/lua/5.1/kong/cmd/init.lua:46>
/opt/homebrew/bin/kong:10: in function 'file_gen'
init_worker_by_lua:49: in function <init_worker_by_lua:47>
[C]: in function 'xpcall'
init_worker_by_lua:56: in function <init_worker_by_lua:54>
kong % ls -la .kong_env
--w------- 1 %%user%% admin 0 Jul 22 02:51 .kong_envWilling to attach more logs if required
Update to that, modifying some stuff in prefix_handler.lua helped me get past the issues, once I manually created the certs.
I inserted this at line 293 :
ffi.cdef[[
typedef struct {
char *fpos;
void *base;
unsigned short handle;
short flags;
short unget;
unsigned long alloc;
unsigned short buffincrement;
} FILE;
FILE *fopen(const char *filename, const char *mode);
int fprintf(FILE *stream, const char *format, ...);
int fclose(FILE *stream);
]]
local f = ffi.C.fopen(path, "a+")
ffi.C.fclose(f)which creates an empty file before the next line tries to open it. It is possible that the same issue is happening with the certs as the lua code tries to write the file, but fails.
For now this seems to work in my case. If anyone is monitoring this issue, can a fix be provided for the certs problem along with this ?