Not found response in Tyk mTLS

Support
, ,
1

Hi,

I am using Tyk Pro-Docker Demo from Github (GitHub - TykTechnologies/tyk-pro-docker-demo: Tyk Pro demo using docker and docker compose, supercedes tyk_quickstart) to learn mTLS in Tyk. I am referring to static mTLS in Tyk documentation (Client mTLS).

I followed the example, and chose ‘open keyless’ & ‘mutual tls’ in under the multiple authentication mode. And I want to proxy through ’ http://httpbin.org/'. I also generated the self-sign key pair using the given command in Tyk documentation.

However, when I tried to use ‘curl -v -k --cert cert.pem --key key.pem https://gw04.psbu.top/staticmtls/getcurl -v -k --cert cert.pem --key key.pem https://mydomain.com/staticmtls/get’, I got ‘Not found’ response.

I chose the TLS protocol as well.

What is the reason for this ‘Not found’ response? Is there any setting/ environment variable that I have to set?

Here are the curl details:

  • Trying x.x.x.x:443…
  • TCP_NODELAY set
  • Connected to xxx.xxx.xxx (x.x.x.x) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
  • ALPN, server accepted to use http/1.1
  • Server certificate:
  • subject: CN=xxx.xxx.xxx
  • start date: Jun 17 00:51:57 2022 GMT
  • expire date: Sep 15 00:51:56 2022 GMT
  • issuer: C=US; O=Let’s Encrypt; CN=R3
  • SSL certificate verify ok.

GET /staticmtls/get HTTP/1.1
Host: xxx.xxx.xxx
User-Agent: curl/7.68.0
Accept: /

  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • old SSL session ID is stale, removing
  • Mark bundle as not supporting multiuse
    < HTTP/1.1 404 Not Found
    < Date: Tue, 21 Jun 2022 09:40:24 GMT
    < Server: Apache/2.4.41 (Ubuntu)
    < Content-Length: 9
    < Content-Type: text/plain; charset=utf-8
    <
  • Connection #0 to host xxx.xxx.xxx left intact

Regards,

Maan Tarng

2

Hi @maantarng, can you check a couple of things as outlined in this thread? I have listed them below to make it easier

  • TLS and SSL settings in gateway config file
  • Multi auth mode in API definition file - Keyless and mTLS (I can see you have confirmed this)
  • Certificate ID (slightly different if an org ID is present)

What is the reason for this ‘Not found’ response?

If the result is coming from Tyk then there is nothing at that endpoint. It guess the protocol could cause this. Try using HTTPS (lowercase). If the same thing occurs, then kindly share the gateway logs (preferably in debug mode).

Is there any setting/ environment variable that I have to set?

I am not sure. However, if you crosscheck the list above, then we would be one step closer in figuring it out. You may have to share your API definition and gateway config file.

3

Hi @Olu

I tried to follow the link you sent me. When I set ‘use_ssl’ to true, I got this message : “Client sent an HTTP request to an HTTPS server.”

Do you know what is the problem for this?

4

It simply means that you are trying to reach the endpoint via an HTTP or unsecured endpoint. Meaning if your domain is mydomain.com, then you are reaching it on http://mydomain.com instead of https://mydomain.com

From your earlier message I can deduce that you are using a proxy server to reach your Tyk gateway. Is that the case?

Cause if it is, then you might need to check the configuration of that.

5

Hi @Olu

Yes.

Ok. Thanks for your help and information.