Issue while starting Tyk-Dashboard

ajitesh.srivastava · November 22, 2018, 6:34am

Hi Team,

I have configured tyk-dashboard to enable SSL and run on https://, please see the below configuration,
Have private certificate, concatenated, certificate and key into one pem file and used in the below configuration,

tyk_analytics.conf
“listen_port”: 443,
“notifications_listen_port”: 5000,
“tyk_api_config”: {
“Host”: “https://localhost”,
“Port”: “8080”,
“Secret”: “352d20ee67be67f6340b4c0605b044b7”
},
“http_server_options”: {
“use_ssl”: true,
“server_name”: “publicurl.com”,
“certificates”: [
{
“domain_name”: “*.publicurl.com”,
“cert_file”: “./certificateFile.pem”,
“key_file”: “./certificateFile.pem”
}
]
},

Now while starting Tyk-dashboard , I am getting below errors,

→ level=error msg=“Couldn’t unmarshal configuration”
→ level=error msg=“json: cannot unmarshal string into Go struct field DomainConfig.portal_domains of type map[string]string”
→ level=panic msg=“Server creation failed! listen tcp :443: bind: permission denied”
→ panic: (*logrus.Entry) (0xc398e0,0xc420354a00)

Please assist me with the corrective measures

Regards

matiasb · November 22, 2018, 7:44am

Hi, can you share the full dashboard configuration file? It looks like an issue with the host_config configuration block.

The second error might be an issue with the TCP port, is the dashboard already running?

Best.

ajitesh.srivastava · November 22, 2018, 8:23am

Hi @matiasb

If I am running dashboard with https configuration then it is not getting started and getting stopped with the errors mentioned above.

Please find the complete tyk_analytics.conf file

ajitesh.srivastava · November 22, 2018, 9:13am

Hi,

Now port issue is no more, but instead certificate issue is appearing when doing dashboard and gateway start

Both dashboard and gateway are on same machine
OS : Debian 9
Installation : On prem

Dashboard log:
http: TLS handshake error from XX.XX.XX.XXX:41052: remote error: tls: bad certificate
http: TLS handshake error from XX.XX.XX.XXX:41052: remote error: tls: bad certificate

Gateway Log:
level=error msg=“Request failed with error Get https://XX.XX.XX.XXX:3000/register/node: x509: cannot validate certificate for XX.XX.XX.XXX because it doesn’t contain any IP SANs; retrying in 5s”
level=error msg=“Request failed with error Get https://XX.XX.XX.XXX:3000/register/node: x509: cannot validate certificate for XX.XX.XX.XXX because it doesn’t contain any IP SANs; retrying in 5s”
level=error msg=“Request failed with error Get https://XX.XX.XX.XXX:3000/register/node: x509: cannot validate certificate for XX.XX.XX.XXX because it doesn’t contain any IP SANs; retrying in 5s”

Regards

Josh · November 22, 2018, 9:47am

If your certificates you are using are self signed you will need to add ssl_insecure_skip_verify: true to the http_server_options to both of your configs.

ajitesh.srivastava · November 22, 2018, 9:52am

Hi Josh,

No, I am using signed certificate

Josh · November 22, 2018, 9:55am

Is your certificate for the IP and not the domain for your localhost?

ajitesh.srivastava · November 22, 2018, 9:57am

Hi @Josh

Certificate is for the public domain name.

Setup is like below:

Tyk is install on the machine with machine name : machin.domain.com
For the same machine public domain is created.

Certificate is for the public domain name

Regards

Josh · November 22, 2018, 10:03am

I think the connection between the dashboard and gateway being on the same machine means that they are trying to connect to each other on the localhost IP which is not listed in the cert and so it is considered invalid. Can you add the domain the cert is registered to your hosts file on the machine.

ajitesh.srivastava · November 22, 2018, 10:05am

that is already done, as machine is manage centrally.

DNSName have been added

ajitesh.srivastava · November 22, 2018, 10:10am

Hi Josh,

After adding ssl_insecure_skip_verify in dashboard and gateway server was still throwing error.

So have tried removing this configuration from dashboard conf only and restarted servers again.

Now both gateway and dashboard are up and running.

But when I am trying to open dashboard on browser, it is getting displayed as not secure site with https://

and while accessing API through postman, gateway is throwing below errors,
http: TLS handshake error from XX.XX.XX.XXX:49524: tls: first record does not look like a TLS handshake

Josh · November 22, 2018, 10:46am

Is the certificates portion of your config in your screenshot accurate or have you just added a placeholder for posting here?

In it you have it pointing at the certificate twice instead of to the cert and the key.

ajitesh.srivastava · November 22, 2018, 10:53am

Hi Josh,

Since I have one pem format certificate, with cert and key concatenated into one.

If I give only certificate path , dashboard was throwing error, so have mentioned both cert and key pointing to same pem file

ajitesh.srivastava · November 22, 2018, 11:53am

Hi @Josh

Mostly issues are resolved now, but when trying to access APIs on gateway with ssl enable with mutual tls,

getting below error,
{
“error”: “Certificate with SHA256 68e3606f61488e06d4753f9277b27a42d21e98bde35d7a357a6c977b5a1126f0 not allowed”
}

Client certificate is selfsigned certificate

Regards

ajitesh.srivastava · November 23, 2018, 5:32am

Hello All,

Any suggestions on the above issue.

Regards.

muthusk · January 31, 2020, 2:54am

Check if the cert you have imported has intermediate and root. Just have the leaf imported and try.