help request: Error: "failed to find any SSL certificate by SNI" when in dashboard SNI exists

[MirtoBusico]

Description

I have a route, upstream and SNI for the host "www.h.net"
But when I try to access the URL I receive an error and looking at the logs the last lines are:

127.0.0.6 - - [20/May/2023:15:57:56 +0000] apisix-admin.apisix.svc.cluster.local:9180 "GET /apisix/admin/upstreams/6d394703 HTTP/1.1" 404 39 0.002 "-" "Go-http-client/1.1" - - - "http://apisix-admin.apisix.svc.cluster.local:9180"
127.0.0.6 - - [20/May/2023:15:57:56 +0000] apisix-admin.apisix.svc.cluster.local:9180 "GET /apisix/admin/upstreams/93400b20 HTTP/1.1" 404 39 0.002 "-" "Go-http-client/1.1" - - - "http://apisix-admin.apisix.svc.cluster.local:9180"
127.0.0.6 - - [20/May/2023:15:57:56 +0000] apisix-admin.apisix.svc.cluster.local:9180 "GET /apisix/admin/upstreams/3b59d238 HTTP/1.1" 404 39 0.001 "-" "Go-http-client/1.1" - - - "http://apisix-admin.apisix.svc.cluster.local:9180"
127.0.0.6 - - [20/May/2023:16:17:53 +0000] 192.168.151.10 "GET / HTTP/1.1" 404 47 0.000 "-" "curl/7.88.1" - - - "http://192.168.151.10"
2023/05/20 16:28:28 [error] 50#50: *325034 [lua] radixtree_sni.lua:176: match_and_set(): failed to find any SSL certificate by SNI: www.h.net, context: ssl_certificate_by_lua*, client: 127.0.0.6, server: 0.0.0.0:9443
2023/05/20 16:28:28 [error] 53#53: *325036 [lua] radixtree_sni.lua:176: match_and_set(): failed to find any SSL certificate by SNI: www.h.net, context: ssl_certificate_by_lua*, client: 127.0.0.6, server: 0.0.0.0:9443

What I'm doing wrong?

The route definition is:

{
  "uri": "/*",
  "name": "www",
  "desc": "www.h.net primary route",
  "methods": [
    "GET",
    "POST",
    "PUT",
    "DELETE",
    "PATCH",
    "HEAD",
    "OPTIONS",
    "CONNECT",
    "TRACE",
    "PURGE"
  ],
  "host": "www.h.net",
  "plugins": {
    "redirect": {
      "http_to_https": true
    }
  },
  "upstream_id": "461493987803398719",
  "status": 1
}

The upstream definition is:

{
  "timeout": {
    "connect": 6,
    "send": 6,
    "read": 6
  },
  "type": "roundrobin",
  "scheme": "http",
  "discovery_type": "dns",
  "pass_host": "pass",
  "name": "productpage",
  "service_name": "productpage.bookinfo.svc.cluster.local:9080",
  "keepalive_pool": {
    "idle_timeout": 60,
    "requests": 1000,
    "size": 320
  }
}

The SNI (copied from the Apisix-dashboard) is:

SNI                                             Expiration Time         Update Time             Operation
www www.h.net www.ext.h.net www.int.h.net       2032-11-23 13:08:26     2023-05-20 19:25:44

Apisix was installed with chart:

sysop@hdev:~/H/software/apisisx$ helm show chart apisix/apisix
annotations:
  artifacthub.io/prerelease: "false"
apiVersion: v2
appVersion: 3.3.0
dependencies:
- condition: etcd.enabled
  name: etcd
  repository: https://charts.bitnami.com/bitnami
  version: 8.7.7
- alias: dashboard
  condition: dashboard.enabled
  name: apisix-dashboard
  repository: https://charts.apiseven.com
  version: 0.8.0
- alias: ingress-controller
  condition: ingress-controller.enabled
  name: apisix-ingress-controller
  repository: https://charts.apiseven.com
  version: 0.11.4
description: A Helm chart for Apache APISIX v3
icon: https://apache.org/logos/res/apisix/apisix.png
maintainers:
- name: tao12345666333
name: apisix
sources:
- https://github.com/apache/apisix-helm-chart
type: application
version: 1.4.0

Dashboard version is 3.0.0

BTW in the previous installation (the one reported in this blog post) it worked

Then the apisix chart was

sysop@hdev:~/H/software/apisisx$ helm show chart apisix/apisix
annotations:
  artifacthub.io/prerelease: "false"
apiVersion: v2
appVersion: 2.15.1
dependencies:
- condition: etcd.enabled
  name: etcd
  repository: https://charts.bitnami.com/bitnami
  version: 8.3.4
- alias: dashboard
  condition: dashboard.enabled
  name: apisix-dashboard
  repository: https://charts.apiseven.com
  version: 0.6.1
- alias: ingress-controller
  condition: ingress-controller.enabled
  name: apisix-ingress-controller
  repository: https://charts.apiseven.com
  version: 0.10.1
description: A Helm chart for Apache APISIX
icon: https://apache.org/logos/res/apisix/apisix.png
maintainers:
- name: tao12345666333
name: apisix
sources:
- https://github.com/apache/apisix-helm-chart
type: application
version: 0.11.3

Dashboard version was 2.13.0

Environment

• APISIX version (run apisix version): 3.3.0
• Operating system (run uname -a): Linux apisix-694d5589cc-l2948 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64 GNU/Linux
• OpenResty / Nginx version (run openresty -V or nginx -V):
• etcd version, if relevant (run curl http://127.0.0.1:9090/v1/server_info):
• APISIX Dashboard version, if relevant: 3.0.0
• Plugin runner version, for issues related to plugin runners:
• LuaRocks version, for installation issues (run luarocks --version):

[MirtoBusico]

Mybe it is related to the #8663 bug (that is marked as closed)?

[shreemaan-abhishek]

@MirtoBusico, are you using the dashboard to manage SNIs? If yes, please give this a shot with the API, the dashboard is not maintained actively and it has compatibility issues with APISIX.

[MirtoBusico]

@MirtoBusico, are you using the dashboard to manage SNIs? If yes, please give this a shot with the API, the dashboard is not maintained actively and it has compatibility issues with APISIX.

Hi @shreemaan-abhishek it makes me sad that the dashboard is no more maintained.

When I had to select an Api Gateway (that was open source) my choice was Apisix because it was the only Api Gateway with a dashboard included in the open source version.

What are your plans for a tool to manage and change in realtime apisix configurations?

[shreemaan-abhishek]

@MirtoBusico, it's not actively maintained. It seems the maintainers are not that active, essentially it's a community project so anyone can contribute anytime.

What are your plans for a tool to manage and change in realtime apisix configurations?

The admin API!

[shreemaan-abhishek]

That being said, please give this a shot with the admin API and let us know if the bug still exists.

[shreemaan-abhishek]

You can refer the mTLS documentation if you need any help: https://apisix.apache.org/docs/apisix/mtls/

[MirtoBusico]

Thanks @shreemaan-abhishek I'll try to learn how to manage Apisix using the Admin API and I'll verify if the bug exists (probably not).

In the meantime I think you can close this request, because (if the bug still exist) I'll have to file a request for the Admin API

[Revolyssup]

Thanks @shreemaan-abhishek I'll try to learn how to manage Apisix using the Admin API and I'll verify if the bug exists (probably not).

In the meantime I think you can close this request, because (if the bug still exist) I'll have to file a request for the Admin API

@MirtoBusico You can close this issue in that case.

[MirtoBusico]

Waiting the new release