几个关于ssl的疑问

[Lewisyixin]

搜了下文档，apisix中关于ssl相关的文档很少，今天在尝试配置客户端证书的时候发现了一些问题。

1. apisix使用客户端证书有没有请求例子可以参考下？我们将正在使用的nginx的客户端pem文件传入apisix的ssl证书配置中无法正常访问，不知道是不是传的格式有问题。
   客户端证书传入的数据格式类似下面这样，传入位置应该是正确的，因为加上这个之后，再次直接请求https域名会被限制
   "client":{"depth":1,"ca":"-----BEGIN CERTIFICATE-----\nxxxxxxxxxxxxxxxxx\n-----END CERTIFICATE-----\n"}
   但是按照和之前同样的python程序访问会报下面这样的错误
   

2. apisix的客户端证书是放到和服务端证书相同的配置当中的，通常来讲一个apisix实例会运行多个二级域名相同的域名，所以当我想给其中一个域名配置客户端证书，其余不配置的时候，如何实现？

[moonming]

@bzp2010 please take a look

[bzp2010]

@Lewisyixin

1. The configuration is correct, and as long as you ensure your credentials are correct, you can access it properly. After importing the client certificate on the client, it can be accessed normally either by curl or browser.

I used the following command to generate the certificate for testing on Windows.

openssl genrsa -out root.key 2048
openssl req -new -out root.csr -key root.key
openssl x509 -req -in root.csr -out root.crt -signkey root.key -CAcreateserial -days 3650
openssl genrsa -out server.key 2048
openssl req -new -out server.csr -key server.key
openssl x509 -req -in server.csr -out server.crt -signkey server.key -CA root.crt -CAkey root.key -CAcreateserial -days 3650
openssl genrsa -out client.key 2048
openssl req -new -out client.csr -key client.key
openssl x509 -req -in client.csr -out client.crt -signkey client.key -CA root.crt -CAkey root.key -CAcreateserial -days 3650
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

Then, configure certificates for APISIX via the Admin API.

curl --location --request PUT 'http://127.0.0.1:9180/apisix/admin/ssls/1' \
--header 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' \
--header 'Content-Type: application/json' \
--data-raw '{
    "snis": [
        "example.com"
    ],
    "client":{
        "ca": "-----BEGIN CERTIFICATE-----\nxxxxxxxxxxxxxxxxxxxxxxxxxx\n-----END CERTIFICATE-----"
    },
    "cert": "-----BEGIN CERTIFICATE-----\nxxxxxxxxxxxxxxxxxxxxxxxxxx\n-----END CERTIFICATE-----",
    "key": "-----BEGIN RSA PRIVATE KEY-----\nxxxxxxxxxxxxxxxxxxxxxxxxxx\n-----END RSA PRIVATE KEY-----"
}'

I'm not sure why your Python program is accessing /api/orange, but the error looks like it's because Python's certificate trust is misconfigured. You can request your API via curl, like this.

curl --cert ./client.crt --key ./client.key https://example.com:9443 -k -v

You can test it by following the steps above.

2. In my perception, you may only be able to use different subdomains, and you cannot turn on or off client authentication on separate routes on the same domain SNI that has client authentication configured.

Please help point out if I am wrong.

[Lewisyixin]

1. We can ignore '/api/orange'. It's just a test uri, the same with '/'. I use python because our client credentials is using c12 with password and I failed to find to send such request by curl.. Do you have any ideas about this?
2. Ok, it seems I have to deploy a extra nginx before apisix to hold on domains with client authentication.

[bzp2010]

1. Maybe you can try stripping the password from the certificate via openssl. Or exporting p12 from crt without setting a password for it.