Configuring Tyk Community - No Dashboard - Lets Encrypt

Support Installation and Deployment
1

Hi,

We’re trying to put together POC of tyk running in kubernetes, we dont want the dashboard or mongo
we plan to pump logs into elasticsearch, all our config needs to be automated as the gateway needs to be able to scale with load.

Ive got kubernetes config sorted, i’m passing the .conf and an api.json file via kubectl but i’m having problems with SSL
I was hoping to use the lets encrypt functionality to quickly get some SSL certs up - i guess i’m missing something from your documentation because i keep getting errors

The main example below seems to be for predefined SSL certs, do i just add the use_ssl_le boolean? If so where does LE create the SSL key (docs refer to REDIS) - if i leave out the cert_file and key_file locations i just get an error at boot: [Server error: loadkeys: open : no such file or directory]

"http_server_options": { "use_ssl": true, "use_ssl_le": true ##documentation## suggests this is all i need?? "server_name": "yoursite.com", "min_version": "1.2", "certificates": [ { "domain_name": "*.yoursite.com", "cert_file": "./new.cert.cert", ## what do i do with these? "key_file": "./new.cert.key" ## when using letsencrypt } ] },

My full config is below:

{ "listen_port": 8443, "secret": "000000000000000000", "node_secret": "000000000000000000", "template_path": "/opt/tyk-gateway/templates", "tyk_js_path": "/opt/tyk-gateway/js/tyk.js", "middleware_path": "/opt/tyk-gateway/middleware", "use_db_app_configs": false, "app_path": "/opt/tyk-gateway/apps/", "storage": { "type": "redis", "enable_cluster": false, "hosts": { "euw-gcp-prd-redis-001-1-vm": "6379" }, "username": "", "password": "", "database": 1, "optimisation_max_idle": 100 }, "enable_analytics": true, "use_logstash": true, "logstash_transport": "tcp", "logstash_network_addr": "tbc", "health_check": { "enable_health_checks": true, "health_check_value_timeouts": 60 }, "optimisations_use_async_session_write": true, "enable_non_transactional_rate_limiter": true, "enable_sentinel_rate_limiter": false, "allow_master_keys": false, "policies": { "policy_source": "file" }, "hash_keys": true, "close_connections": true, "http_server_options": { "use_ssl": true, "use_ssl_le": true, "server_name": "projectone.com", "min_version": "1.2", "certificates": [ { "domain_name": "tyk.projectone.com" } ] }, "allow_insecure_configs": true, "coprocess_options": { "enable_coprocess": false, "coprocess_grpc_server": "" }, "enable_bundle_downloader": true, "bundle_base_url": "", "global_session_lifetime": 100, "force_global_session_lifetime": false, "max_idle_connections_per_host": 100 }

I anyone could let me know where im going wrong that would be amazing - thanks

2

Hi,

To get LE to work, you need to be running a service resolvable by ACME, and all that’s needed is:

"http_server_options": {
        "use_ssl_le": true,
    },

These will only work for your APIs on the gateway, so accessing APIs (not the portal or the dashboard), via an https endpoint will cause the gateway to try and register an SSL cert for that API, however, it always needs to resolve, and the gateway will provide plenty of output if it fails to do it:

yk-gateway_1    | 2017/02/03 23:11:33 [INFO] acme: Registering account for
tyk-gateway_1    | time="Feb  3 23:11:35" level=info msg="[SSL] State change detected, storing"
tyk-gateway_1    | 2017/02/03 23:11:36 [INFO][www.tyk-test.com] acme: Obtaining bundled SAN certificate
tyk-gateway_1    | 2017/02/03 23:11:37 [INFO][www.tyk-test.com] acme: Trying to solve TLS-SNI-01
tyk-gateway_1    | 2017/02/03 23:11:40 http: TLS handshake error from 10.0.75.1:64222: map[www.tyk-test.com:acme: Error 400 - urn:acme:error:connection - DNS problem: NXDOMAIN looking up A for www.tyk-test.com
tyk-gateway_1    | Error Detail:
tyk-gateway_1    |      Validation for www.tyk-test.com:
tyk-gateway_1    |      Resolved to:
tyk-gateway_1    |
tyk-gateway_1    |      Used:
tyk-gateway_1    |
tyk-gateway_1    | ]

(this obviously failed because that domain does not resolve)

The SSL cert is created and then stored in redis to be shared across the gateways (e.g. in a scaling event), so it should work with a larger gateway setup.

You don’t want to set a hostname or anything else in tyk.conf, the whole point of LE support is so that it is dynamic for when you use the domain support in Tyk in the API Definition. But it should just work even if you use any arbitrary hostname that resolves to the IP the gateway is listening on.