Errors while setting up SSL on Tyk


#1

Hey,

I am trying to properly set SSL on both my Dash and Gateway using Lets Encrypt and seeing the docs i added this

"http_server_options": {
  "use_ssl": true,
  "use_ssl_le": true
}

My tyk.conf looks like this

{
  "allow_insecure_configs": true,
  "listen_address": "",
  "listen_port": 443,
  "secret": "352d20ee67be67f6340b4c0605b044b7",
  "node_secret": "352d20ee67be67f6340b4c0605b044b7",
  "template_path": "/opt/tyk-gateway/templates",
  "use_db_app_configs": true,
  "db_app_conf_options": {
    "connection_string": "http://localhost:3000"
  },
  "app_path": "/opt/tyk-gateway/apps",
  "middleware_path": "/opt/tyk-gateway/middleware",
  "storage": {
    "type": "redis",
    "host": "localhost",
    "port": 6379,
    "optimisation_max_idle": 2000,
    "optimisation_max_active": 4000
  },
  "enable_analytics": true,
  "analytics_config": {
    "type": "",
    "ignored_ips": []
  },
  "optimisations_use_async_session_write": true,
  "allow_master_keys": false,
  "policies": {
    "policy_source": "service",
    "policy_connection_string": "http://localhost:3000",
    "policy_record_name": "tyk_policies",
    "allow_explicit_policy_id": true
  },
  "hash_keys": true,
  "max_idle_connections_per_host": 500,
  "http_server_options": {
    "use_ssl": true,
    "use_ssl_le": true
  }
}

and my tyk_analytics.conf looks like this

{
    "listen_port": 3000,
    "tyk_api_config": {
        "Host": "http://localhost",
        "Port": "443",
        "Secret": "352d20ee67be67f6340b4c0605b044b7"
    },
    "mongo_url": "mongodb://localhost/tyk_analytics",
    "mongo_use_ssl": false,
    "mongo_ssl_insecure_skip_verify": false,
    "mongo_session_consistency": "",
    "page_size": 10,
    "admin_secret": "12345",
    "shared_node_secret": "352d20ee67be67f6340b4c0605b044b7",
    "redis_port": 6379,
    "redis_host": "localhost",
    "redis_password": "",
    "enable_cluster": false,
    "redis_use_ssl": false,
    "redis_ssl_insecure_skip_verify": false,
    "force_api_defaults": false,
    "notify_on_change": true,
    "license_key": "key....."
    "redis_database": 0,
    "redis_hosts": null,
    "hash_keys": true,
    "email_backend": {
        "enable_email_notifications": false,
        "code": "",
        "settings": null,
        "default_from_email": "",
        "default_from_name": "",
        "dashboard_hostname": ""
    },
    "hide_listen_path": false,
    "sentry_code": "",
    "sentry_js_code": "",
    "use_sentry": false,
    "enable_master_keys": false,
    "enable_duplicate_slugs": true,
    "show_org_id": true,
    "host_config": {
        "enable_host_names": true,
        "disable_org_slug_prefix": true,
        "hostname": "localhost",
        "override_hostname": "localhost",
        "portal_domains": {},
        "portal_root_path": "/portal",
        "generate_secure_paths": false,
        "secure_cookies": false,
        "use_strict_hostmatch": false
    },
    "security": {
        "allow_admin_reset_password": false,
        "login_failure_username_limit": 0,
        "login_failure_ip_limit": 0,
        "login_failure_expiration": 0,
        "login_disallow_forward_proxy": false,
        "audit_log_path": ""
    },
    "ui": {
        "languages": {
            "Chinese": "cn",
            "English": "en",
            "French": "fr",
            "Korean": "ko"
        },
        "hide_help": false,
        "default_lang": "en",
        "login_page": {},
        "nav": {},
        "uptime": {},
        "portal_section": null,
        "designer": {},
        "dont_show_admin_sockets": false,
        "dont_allow_license_management": false,
        "dont_allow_license_management_view": false,
        "cloud": false
    },
    "home_dir": "/opt/tyk-dashboard",
    "identity_broker": {
        "enabled": false,
        "host": {
            "connection_string": "http://localhost:3010",
            "secret": "934893845123491238192381486djfhr87234827348"
        }
    },
    "tagging_options": {
        "tag_all_apis_by_org": false
    },
    "use_sharded_analytics": false,
    "enable_aggregate_lookups": true,
    "enable_analytics_cache": false,
    "aggregate_lookup_cutoff": "01/07/2016",
    "maintenance_mode": false,
    "allow_explicit_policy_id": false,
    "private_key_path": "",
    "node_schema_path": "",
    "oauth_redirect_uri_separator": ";",
    "statsd_connection_string": "",
    "statsd_prefix": "",
    "disable_parallel_sessions": false,
    "dashboard_session_lifetime": 0,
    "alternative_dashboard_url": "",
    "sso_permission_defaults": null,
    "sso_default_group_id": "",
    "sso_custom_login_url": "",
    "sso_custom_portal_login_url": "",
    "notifications_listen_port": 5000,
    "portal_session_lifetime": 0,
    "enable_delete_key_by_hash": false
}

There is no SSL on both my dashboard and gateway.

Also

Logs for tyk-dashboard are

Mar 30 09:06:52 gateway tyk-analytics[2816]: time="Mar 30 09:06:52" level=info msg="connecting to MongoDB: [localhost]"
Mar 30 09:06:52 gateway tyk-analytics[2816]: time="Mar 30 09:06:52" level=info msg="mongo connection established"
Mar 30 09:06:52 gateway tyk-analytics[2816]: time="Mar 30 09:06:52" level=info msg="Creating new Redis connection pool"
Mar 30 09:06:52 gateway tyk-analytics[2816]: time="Mar 30 09:06:52" level=info msg="Creating new Redis connection pool"
Mar 30 09:06:52 gateway tyk-analytics[2816]: time="Mar 30 09:06:52" level=info msg="Creating new Redis connection pool"
Mar 30 09:06:52 gateway tyk-analytics[2816]: time="Mar 30 09:06:52" level=info msg="Creating new Redis connection pool"
Mar 30 09:06:52 gateway tyk-analytics[2816]: time="Mar 30 09:06:52" level=info msg="Adding available nodes..."
Mar 30 09:06:52 gateway tyk-analytics[2816]: time="Mar 30 09:06:52" level=info msg="Tyk Analytics Dashboard v1.7.5"
Mar 30 09:06:52 gateway tyk-analytics[2816]: time="Mar 30 09:06:52" level=info msg="Copyright Martin Buhr 2016"
Mar 30 09:06:52 gateway tyk-analytics[2816]: time="Mar 30 09:06:52" level=info msg="https://www.tyk.io"
Mar 30 09:06:52 gateway tyk-analytics[2816]: time="Mar 30 09:06:52" level=info msg="Listening on port: 3000"
Mar 30 09:06:52 gateway tyk-analytics[2816]: time="Mar 30 09:06:52" level=info msg="Registering nodes..."
Mar 30 09:06:52 gateway tyk-analytics[2816]: time="Mar 30 09:06:52" level=info msg="Adding available nodes..."
Mar 30 09:06:52 gateway tyk-analytics[2816]: time="Mar 30 09:06:52" level=info msg="Creating new Redis connection pool"
Mar 30 09:06:52 gateway tyk-analytics[2816]: time="Mar 30 09:06:52" level=info msg="Socket server started"
Mar 30 09:06:52 gateway tyk-analytics[2816]: time="Mar 30 09:06:52" level=info msg="--> Standard listener (http) for UI notifications" addr=":5000"
Mar 30 09:06:52 gateway tyk-analytics[2816]: time="Mar 30 09:06:52" level=info msg="--> Standard listener (http) for dashboard and API"
Mar 30 09:06:52 gateway tyk-analytics[2816]: time="Mar 30 09:06:52" level=info msg="Starting zeroconf heartbeat"
Mar 30 09:06:52 gateway tyk-analytics[2816]: time="Mar 30 09:06:52" level=info msg="Starting notification handler for gateway cluster"
Mar 30 09:06:52 gateway tyk-analytics[2816]: time="Mar 30 09:06:52" level=info msg="Loading routes..."
Mar 30 09:06:55 gateway tyk-analytics[2816]: time="Mar 30 09:06:55" level=info msg="Got configuration for nodeID: 38e801d9-f6c3-4ee1-7640-17c3e81b56ea|gateway"
Mar 30 09:07:03 gateway tyk-analytics[2816]: time="Mar 30 09:07:03" level=info msg="Sending config request for node: 38e801d9-f6c3-4ee1-7640-17c3e81b56ea-gateway"
Mar 30 09:07:03 gateway tyk-analytics[2816]: time="Mar 30 09:07:03" level=info msg="Got configuration for nodeID: 38e801d9-f6c3-4ee1-7640-17c3e81b56ea|gateway"
Mar 30 09:07:19 gateway tyk-analytics[2816]: time="Mar 30 09:07:19" level=error msg="No nodes available"
Mar 30 09:07:24 gateway tyk-analytics[2816]: time="Mar 30 09:07:24" level=error msg="No nodes available"
Mar 30 09:07:32 gateway tyk-analytics[2816]: time="Mar 30 09:07:32" level=info msg="Sending config request for node: 38e801d9-f6c3-4ee1-7640-17c3e81b56ea-gateway"
Mar 30 09:07:32 gateway tyk-analytics[2816]: time="Mar 30 09:07:32" level=info msg="Got configuration for nodeID: 38e801d9-f6c3-4ee1-7640-17c3e81b56ea|gateway"
Mar 30 09:08:12 gateway tyk-analytics[2816]: time="Mar 30 09:08:12" level=warning msg="Login opened from: 122.179.41.30:59660"

and tyk-gateway are

Mar 30 09:07:19 gateway tyk[2898]: time="Mar 30 09:07:19" level=info msg="Redis connection pools are ready after number of retires" currRetry=0
Mar 30 09:07:19 gateway tyk[2898]: time="Mar 30 09:07:19" level=info msg="Redis connection pools are ready"
Mar 30 09:07:19 gateway tyk[2898]: time="Mar 30 09:07:19" level=info msg="--> Using SSL (https)"
Mar 30 09:07:19 gateway tyk[2898]: time="Mar 30 09:07:19" level=info msg="Setting up Server"
Mar 30 09:07:19 gateway tyk[2898]: time="Mar 30 09:07:19" level=info msg="Registering node."
Mar 30 09:07:19 gateway tyk[2898]: time="Mar 30 09:07:19" level=error msg="Response failed with code 404; retrying in 5s"
Mar 30 09:07:20 gateway tyk[2898]: time="Mar 30 09:07:20" level=warning msg="Insecure configuration detected (allowing)!"
Mar 30 09:07:24 gateway tyk[2898]: time="Mar 30 09:07:24" level=error msg="Response failed with code 404; retrying in 5s"
Mar 30 09:07:29 gateway tyk[2898]: time="Mar 30 09:07:29" level=info msg="Starting Poller"
Mar 30 09:07:29 gateway tyk[2898]: time="Mar 30 09:07:29" level=info msg="Node registered" id=38e801d9-f6c3-4ee1-7640-17c3e81b56ea
Mar 30 09:07:29 gateway tyk[2898]: time="Mar 30 09:07:29" level=info msg="Gateway started (v2.7.6)"
Mar 30 09:07:29 gateway tyk[2898]: time="Mar 30 09:07:29" level=info msg="Initialising distributed rate limiter"
Mar 30 09:07:29 gateway tyk[2898]: time="Mar 30 09:07:29" level=info msg="--> Listening on address: (open interface)"
Mar 30 09:07:29 gateway tyk[2898]: time="Mar 30 09:07:29" level=info msg="--> Listening on port: 443"
Mar 30 09:07:29 gateway tyk[2898]: time="Mar 30 09:07:29" level=info msg="--> PID: 2898"
Mar 30 09:07:29 gateway tyk[2898]: time="Mar 30 09:07:29" level=info msg="Loading policies"
Mar 30 09:07:29 gateway tyk[2898]: time="Mar 30 09:07:29" level=info msg="Using Policies from Dashboard Service"
Mar 30 09:07:29 gateway tyk[2898]: time="Mar 30 09:07:29" level=info msg="Mutex lock acquired... calling"
Mar 30 09:07:29 gateway tyk[2898]: time="Mar 30 09:07:29" level=info msg="Calling dashboard service for policy list"
Mar 30 09:07:29 gateway tyk[2898]: time="Mar 30 09:07:29" level=info msg="Starting gateway rate limiter notifications..."
Mar 30 09:07:29 gateway tyk[2898]: time="Mar 30 09:07:29" level=info msg="Processing policy list"
Mar 30 09:07:29 gateway tyk[2898]: time="Mar 30 09:07:29" level=info msg="Policies found (0 total):"
Mar 30 09:07:29 gateway tyk[2898]: time="Mar 30 09:07:29" level=info msg="Detected 22 APIs"

How do i properly set SSL on both my Dash and Gateway using Lets Encrypt?


#2

I think you would be better generating the cert and specifying it through the standard way https://www.tyk.io/docs/security/tls-and-ssl/

I think the LE specific support is a bit outdated at the moment.

Thanks
Josh


#3

Hey @Josh,

Thanks. Set up a self signed SSL and it’s working.

- Nithin