apisix
apisix copied to clipboard
apache
bug: upload certs by apisix dashboard,the apisix pod will report error
Current Behavior
config_etcd.lua:858: failed to fetch data from etcd: failed to check item data of [/apisix/ssls] err:additional properties forbidden, found validity_end, etcd key: /apisix/ssls, context: ngx.timer
Expected Behavior
No response
Error Logs
No response
Steps to Reproduce
1.restart apisix 2.delete certs and upload again
Environment
all resources are deployed by helm apisix: apache/apisix:3.9.1-debian apisix-etcd: docker.io/bitnami/etcd:3.5.7-debian-11-r14 apisix-dashboard: apache/apisix-dashboard:3.0.0-alpine
am having the similar problem :- [error] 51#51: *1 [lua] config_etcd.lua:535: load_full_data(): failed to check item data of [/apisix/ssls] err:additional properties forbidden, found validity_start @Cloud0916 did you find any solution ?
am having the similar problem :- [error] 51#51: *1 [lua] config_etcd.lua:535: load_full_data(): failed to check item data of [/apisix/ssls] err:additional properties forbidden, found validity_start @Cloud0916 did you find any solution ?
No,i just find that when i import cert file from dashboard, the json data stored in etcd contains "validity_start" and "validity_end".I guess is the version of dashboard and etcd not suitable,but i still not find any solution.
In this Pull Request (https://github.com/apache/apisix/pull/10323) , they recognized that there was a break in compatibility with the Apisix Dashboard project.
There is a open issue about this https://github.com/apache/apisix-dashboard/issues/2915
it's ok to upload cert by apisix-admin api, for example: [root@server1 ~]# CERT=$(awk 'NF {sub(/\r/, ""); printf "%s\n",$0;}' your_domain.pem) [root@server1 ~]# KEY=$(awk 'NF {sub(/\r/, ""); printf "%s\n",$0;}' your_domain.key) curl http://{Adress of apisix-admin}:9180/apisix/admin/ssls -X POST -d '{ "cert": "'"$CERT"'", "key": "'"$KEY"'", "snis": ["your.domain"] }' -H 'X-API-KEY: {your api key}'
可以通过apisix-admin api上传证书,例如:[root@server1 ~]# CERT=$(awk 'NF {sub(/\r/, “”);printf “%s\n”,$0;}'your_domain.pem) [root@server1 ~]# KEY=$(awk 'NF {sub(/\r/, ""); printf "%s\n",$0;}' your_domain.key) curl http://{Adress of apisix-admin}:9180/apisix/admin/ssls -X POST -d '{ "cert": "'"$CERT"'", "key": "'"$KEY"'", "snis": ["your.domain"] }' -H 'X-API-KEY: {your api key}'
yes,Through apisix /apisix/admin/ssls put certificate successfully, through the dashbord still does not work, apisix version 3.9.0, compared the results found that apisix dashbord upload field contains:
{
"createdIndex": 314,
"key": "/apisix/ssls/514925433557353103",
"modifiedIndex": 314,
"value": {
"validity_start": 1700092800,
"id": "514925433557353103",
"status": 1,
"update_time": 1716449075,
"snis": [
"*.xxx.com",
"xxx.com"
],
"cert": "",
"create_time": 1716449075,
"validity_end": 1731715199
}
}
but, api hasn't "validity_start"
{ "list": [ { "createdIndex": 313, "key": "/apisix/ssls/00000000000000000312", "modifiedIndex": 313, "value": { "create_time": 1716448592, "update_time": 1716448592, "snis": [ "*.bcnyyun.com" ], "type": "server", "id": "00000000000000000312", "key": "", "status": 1 } } }
I added quick fix patch for apisix-dashboard. https://github.com/apache/apisix-dashboard/issues/2915#issuecomment-2127662316
通过apisix-dashboard 页面导入证书(泛域名证书),会保找不到对应域名SNI, 将证书内容复制出来,通过 http://127.0.0.1:9180/apisix/admin/ssls/1 导入,可以正常使用
