bug: 3.7.0 版本通过apisix-dashboard 创建的证书,会报找不到SNI

[lan11]

Current Behavior

通过apisix-dashboard 页面导入证书(泛域名证书),会保找不到对应域名SNI, 将证书内容复制出来,通过 http://127.0.0.1:9180/apisix/admin/ssls/1 导入,可以正常使用. 同时发现版本下降到3.6.0 ,上述dashboard 页面操作没有发现该问题

Expected Behavior

No response

Error Logs

[error] 48#48: 737 [lua] init.lua:213: http_ssl_client_hello_phase(): failed to match any SSL certificate by SNI: test.ydact.cn, context: ssl_client_hello_by_lua, client: 192.168.205.100, server: 0.0.0.0:443

Steps to Reproduce

1.运行docker 2.通过dashboard 页面导入泛域名证书 3.访问域名会报错,查看apisix日志会报找到证书SNI 4.将证书通过管理接口导入,访问域名正常 5.将apisix版本下降到3.6.0.页面导入证书,访问网站正常

Environment

docker 运行 apache/apisix:3.7.0-debian 和 apache/apisix-dashboard:3.0.1-alpine,bitnami/etcd:3.4.15

[shreemaan-abhishek]

please use english in your issue description and title.

[hanqingwu]

i have reproduce , i will try to debug it .

[hanqingwu]

i get the root cause, because apisix v3.7.0 remove validity_end and validity_start https://github.com/apache/apisix/pull/10323

so if you import ssl cert at apisix v3.6.0 then ssl cert save to etcd contain properties : validity_end and validity_start . but when you upgrade to 3.7.0 , it load config from etcd will report err like this ,

2023/12/27 08:39:23 [error] 87#87: *14 [lua] config_etcd.lua:520: load_full_data(): failed to check item data of [/apisix/ssls] err:additional properties forbidden, found validity_end ,val:

so i suggest you reimport ssl cert at apisix v3.7.0 and make sure no properties validity_end and validity_start store in etcd. @lan11

[shreemaan-abhishek]

@hanqingwu thanks for the insight. @lan11 could you please check if the above solution helps?

[jzin-v2]

Hope to identify in all> = 3.7 documents

[xuelangos]

apisix 3.2.0 and 3.2.2,dashboard 3.0.1 have same question。 Causing business to go down all。

[xuruidong]

https://github.com/apache/apisix/pull/10233

[johnxiaohe]

can we support this change? The question is how to make it compatible with 3.7 and below or launch a new version?