Enabling SSL in TYK quickstart (docker) not working

Del · July 27, 2017, 11:41pm

Hi, I am using the TYK quickstart and need to enable SSL
I put the SSL config in both tyk.conf and tyk_analytics.conf. However the TYK gateway does not start unless i remove the below ssl config from the tyk.conf file.
Same issue also happens when i update the connetionstring in tyk.conf to https.i.e. “connection_string”: “https://mydomain.com:3000”. It seems the only way to get the TYK gateway to start when i do docker restart is to remove the ssl config block below AND make sure connection string is “http” and not https.

I tried both ssl config options below but it does not accept it.
How can i see the log from the gateway no logs are available in /var/logs/…

"http_server_options": {
    "use_ssl": true,
    "certificates": [
        {
            "domain_name": "*.mydomain.com",
            "cert_file": "/etc/ssl/certs/STAR_mydomain_com.crt",
            "key_file": "/etc/ssl/certs/STAR_mydomain_com.key"
        }
    ],
    "min_version": "1.2"
},

“http_server_options”: {
“use_ssl”: true,
“server_name”: “mydomain.com”,
“min_version”: “1.2”,
“certificates”: [
{
“domain_name”: “*.mydomain.com”,
“cert_file”: “/etc/ssl/certs/STAR_mydomain_com.crt”,
“key_file”: “/etc/ssl/certs/STAR_mydomain_com.key”
}
]
},

Martin · July 28, 2017, 12:35am

Can you share the logs from gateway?

Have you tried linting the json file?

Are the certs mounted into the container?

Del · July 28, 2017, 9:02am

Yes json file validates ok.
The SSL certs are in the folder /etc/ssl/certs which is already mounted in the container (when i login to the container i can successfully do: “cat /etc/ssl/certs/STAR_mydomain_com.crt”
Can you please advice where/how i can get the logs? looked in /var/log and used the command: sudo journalctl -fu docker.service

Martin · July 28, 2017, 9:29am

You need to do

docker logs --tail=100 tyk-gateway

(Or whatever the gateway container gets called)

Del · July 28, 2017, 12:40pm

i see the following messages in both gateway and dashboard logs

time=“Jul 28 12:35:11” level=fatal msg=“Server error: loadkeys: tls: failed to find any PEM data in key input”

the private key is in PEM format converted with:
openssl rsa -in yourdomain.key -outform PEM -out yourdomain_pem.key

Del · July 28, 2017, 12:54pm

I got the certificate converted to PEM format now. Now I am able to login to the dashboard using https.
However there still some issues on the Gateway error:
time=“Jul 28 18:26:09” level=error msg=“Request failed: Get https://mydomain.com:3000/register/node: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)”
time=“Jul 28 18:26:01” level=error msg=“Policy request failed: Get https://mydomain.com:3000/system/policies: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)”

Martin · July 28, 2017, 9:08pm

Well, the error message is quite clear… the gateway can’t see the dashboard and the connection is timing out.

This is very easy to check - from the gateway instance, curl the login page of your dashboard.

Are you running the dashboard on port 3000 or on 443? If you have changed the port of the dashboard, you need to update the gateways config.

Del · July 28, 2017, 10:20pm

Yes i am running the dashboard on port 3000 (I didnt change the port settings).
Currently I am able to login on a browser from a remote machine to the dashboard via the https url (on port 3000). When i curl from the docker host machine i get a response from the dashboard. When i use Postman from a remote machine i am able to get a response from the dashboard. I am able to ping the dashboard from the gateway container… But when i curl from the gateway container it just timesout.

Martin · July 29, 2017, 1:16am

Ok, the fact the ping works is promising. But if the curl fails between containers that’s a worry. Just because docker container apps can be accessed from outside doesn’t mean they can interact with one another.

The issue might be the listening domain, if you’ve set a domain name on the host the dashboard might be being really strict - have you tried curling the dashboard domain instead of the container name?

Del · July 30, 2017, 6:58am

Yes i have been curling the dash domain as this is the valid domain for the wildcard SSL.

Martin · July 30, 2017, 8:11am

Ok, the quickstart container is a self-contained demo that uses all kinds of docker specific tricks to work, messing with it can mean things break.

It might be better to use a more straightforward demo that doesn’t try to any fancy internal DNS trickery:

Del · July 30, 2017, 8:25am

after some time troubleshooting i discovered its an issue with port forwarding between the host and the container.
when running tcpdump all requests from remote hosts are routed as follows:
remote host:43792 > Docker Host:3000 >
Docker host:43792 > Dashboard_container:3000
And the reverse happens for the response.
But all requests from the gateway container to dashboard end up like this:
Gateway:42345 > Docker Host:3000

To resolve this i added the required port forwarding rule
sudo iptables -t nat -A PREROUTING -s 172.18.0.5 -p tcp --dport 3000 -j DNAT --to-destination 172.18.0.2

Now the gateway is able to reach the dashboard container.
However I am now getting the error:
time=“Jul 30 08:12:25” level=error msg=“Request failed: Get https://mydomain:3000/register/node: x509: certificate signed by unknown authority”.
Now looking into the intermediate certificates…

Martin · July 30, 2017, 9:25am

Good to hear, You can use self signed certs, but yu need to add them to your OS trusted certificate store (in this case you need to mount it into the docker container)

Del · July 30, 2017, 11:26am

Resolved the intermediate certificate issue, restarted the containers all looks ok except when “Loading API configuration” the Gateway hits something it doesnt like and kills over.
time=“Jul 30 12:38:05” level=info msg=“Loading API” api_name=“api/v1/getMessageLog”
time=“Jul 30 12:38:05” level=info msg=“Checking security policy: JWT” api_name=“api/v1/getMessageLog”
time=“Jul 30 12:38:05” level=info msg=“Loading API” api_name=“Portal Assets”
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x42cfbb]

goroutine 57060 [running]:
panic(0xccaae0, 0xc420010070)
/usr/local/go/src/runtime/panic.go:500 +0x1a1
main.processSpec(0xc42075ebe0, 0xc420414460, 0x1, 0xc4202694e0, 0xc420269520, 0xc420269540, 0xc42057b1a0, 0xc42057b200, 0xc420414460, 0x515dfb)
/src/github.com/TykTechnologies/tyk/api_loader.go:149 +0x5bb
main.loadApps.func1(0xc420279cc0, 0xc4200224f0, 0xc4202694e0, 0xc420269520, 0xc420269540, 0xc42057b1a0, 0xc42057b200, 0xc42057b260, 0xc42075ebe0, 0x1, …)
/src/github.com/TykTechnologies/tyk/api_loader.go:646 +0x10a
created by main.loadApps
/src/github.com/TykTechnologies/tyk/api_loader.go:649 +0x4eb

Del · July 30, 2017, 4:47pm

I resolved the issue by removing the containers and recreating new ones. Now all seems to work fine.