Not able to configure ssl for open source ( CE) tyk gateway

saloni512 · October 8, 2021, 7:27am

HI,

I am trying to setup ssl for open source tyk gateway. I googled and found below link to configure ssl:

I generated selfsigned cert as:

	openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
	Generating a 4096 bit RSA private key
	…++
	…++
	writing new private key to ‘key.pem’
	-----
	You are about to be asked to enter information that will be incorporated
	into your certificate request.
	What you are about to enter is what is called a Distinguished Name or a DN.
	There are quite a few fields but you can leave some blank
	For some fields there will be a default value,
	If you enter ‘.’, the field will be left blank.
	-----
	Country Name (2 letter code) [XX]:sg
	State or Province Name (full name) []:singapore
	Locality Name (eg, city) [Default City]:singapore
	Organization Name (eg, company) [Default Company Ltd]:techm
	Organizational Unit Name (eg, section) []:techm
	Common Name (eg, your name or your server’s hostname) []:ip-10-10-31-38.ap-southeast-1.compute.internal
	Email Address []:[email protected]
	[root@ip-10-10-31-38 tyk-gateway]# ls
	apps cert.pem coprocess event_handlers install key.pem middleware policies templates tyk tyk.conf tyk.conf_backup

After that as per the link it ask to configue tyk.conf (with gateway url) and tyk-analytics.conf with (dashboard url).

As I using using open source edition I haven’t installed the dashboard. I am quite confuse here what configuration is needed to setup ssl with it.

I tried to put gateway url and listen port 8080 but with 8080 I am getting error port already in use So I updated it to 3000 but its not working. There nothing listening at 3000.

Please help to provide clear steps to configure ssl for open edition.

Additionally I would like to know when we install tyk gateway open source then what all components get installed at /opt folder and If I want to unstall tyk gateway how I can proceed.

Olu · October 8, 2021, 9:15am

Hi @saloni512, can you try the documentation without the dashboard configurations or data.

As I using using open source edition I haven’t installed the dashboard. I am quite confuse here what configuration is needed to setup ssl with it.

You only need the section below unless you want to change the listen port

Use this whole object
"http_server_options": {
  "use_ssl": true,
  "certificates": [
    {
      "domain_name": "*.yoursite.com",
      "cert_file": "./new.cert.cert",
      "key_file": "./new.cert.key"
    }
  ]
}

Additionally I would like to know when we install tyk gateway open source then what all components get installed at /opt folder and If I want to unstall tyk gateway how I can proceed.

This depends on how you installed it. But you could just delete it.

I tried to put gateway url and listen port 8080 but with 8080 I am getting error port already in use So I updated it to 3000 but its not working. There nothing listening at 3000.

Can you check the hello endpoint. But if there is a clashing port then you would need to resolve that first.

saloni512 · October 8, 2021, 9:38am

After making above change hello is working fine:

curl https://ec2-18-142-155-240.ap-southeast-1.compute.amazonaws.com:8080/hello --insecure
{“status”:“pass”,“version”:“v3.2.1”,“description”:“Tyk GW”,“details”:{“redis”:{“status”:“pass”,“componentType”:“datastore”,“time”:“2021-10-08T05:35:34-04:00”}}}

However with My API I am getting below error:

curl https://ec2-18-142-155-240.ap-southeast-1.compute.amazonaws.com:8080/CloudGateway/rest/ -u “cibadmin:admin” --insecure
{
“error”: “There was a problem proxying the request”

The same was working fine with non ssl earlier (was not getting proxy error):
curl http://ec2-18-142-155-240.ap-southeast-1.compute.amazonaws.com:8080/CloudGateway/rest/ -u “cibadmin:admin”

I tried to add below conf in tyk.conf but still getting proxy error Please suggest:

“http_server_options.ssl_insecure_skip_verify”: true,
“proxy_ssl_insecure_skip_verify”: true,

saloni512 · October 10, 2021, 10:00am

Can you Please suggest further.

saloni512 · October 11, 2021, 3:34am

Below is the api definition I used to create api:

curl -v -H “x-tyk-authorization: 352d20ee67be67f6340b4c0605b044b7”
-s
-H “Content-Type: application/json”
-X POST
-d ‘{
“name”: “cloudgatewayhttps”,
“slug”: “cloudgatewayhttps”,
“api_id”: “cloudgatewayhttps”,
“auth”: {},
“org_id”: “1”,
“use_keyless”: true,
“definition”: {
“location”: “header”,
“key”: “x-api-version”
},
“version_data”: {
“not_versioned”: true,
“versions”: {
“Default”: {
“name”: “Default”,
“use_extended_paths”: true
}
},
“strip_auth_data”: false
},
“proxy”: {
“listen_path”: “/CloudGateway/rest/”,
“target_url”: “https://ip-10-10-31-38.ap-southeast-1.compute.internal:8443/CloudGateway/rest/”,
“strip_listen_path”: false
},
“active”: true
}’ https://ec2-18-142-155-240.ap-southeast-1.compute.amazonaws.com:8080/tyk/apis --insecure | python -mjson.tool

Olu · October 11, 2021, 8:55am

@saloni512, considering the /hello path is working, the issue may be occurring during contact with the upstream server. The error is a Tyk error, however, we need to see the gateway logs to find out more information about the error.

On this thread Logs are not generating - Support - Tyk API Management Community Forum, you mentioned issues retrieving the logs. Were you able to get this resolved?