Hi,
we successfully setup tyk with SSL Let’s Encrypt (LE) support as described in the docs: //tyk.io/docs/basic-config-and-security/security/tls-and-ssl/. The LE certificate is issued when the first SSL request hits the tyk gateway which results in the following logs:
2017/06/19 16:24:43 [INFO][<hostname>] acme: Obtaining bundled SAN certificate
2017/06/19 16:24:43 [INFO][<hostname>] acme: Trying to solve TLS-SNI-01
2017/06/19 16:24:45 [INFO][<hostname>] The server validated our request
2017/06/19 16:24:46 [INFO][<hostname>] acme: Validations succeeded; requesting certificates
2017/06/19 16:24:46 [INFO] acme: Requesting issuer cert from https://acme-v01.api.letsencrypt.org/acme/issuer-cert
2017/06/19 16:24:46 [INFO][<hostname>] Server responded with a certificate.
time="Jun 19 16:24:46" level=info msg="[SSL] State change detected, storing"
So far, so good. We are using docker containers (also running the tyk dashboard, gateway and pump in docker containers) and often start and stop them for development purposes. It seems the tyk gateway does not remember the previously issued certificate and asks LE for a new certificate every time the tyk gateway is started. This causes LE rate limiting to kick in (Rate Limits - Let's Encrypt) which denies reissuing certificates (up to one week after 5 successful certificates were issued).
This behavior is mentioned in //tyk.io/docs/basic-config-and-security/security/tls-and-ssl/ where it says:
Certificates are generated by one Gateway and then shared, via an encrypted Redis key, with other Tyk nodes. Tyk with LE support is limited by LE’s rate limits, so while certificates are backed up and generated and can be re-used, over-use of the feature can cause the service to stop working.
We are using persistent redis with the appendonly yes
option to produce a appendonly.aof
file. But the tyk gateway reports the following on startup and doesn’t seem to read the certificate from redis store:
time="Jun 19 15:59:45" level=info msg="Control API hostname set: cs-test.greenliff.com"
time="Jun 19 15:59:45" level=info msg="Initialising Tyk REST API Endpoints"
time="Jun 19 15:59:45" level=error msg="Could not EXPIRE key: LOADING Redis is loading the dataset in memory"
time="Jun 19 15:59:45" level=info msg="Starting Poller"
time="Jun 19 15:59:45" level=info msg="--> Using SSL LE (https)"
time="Jun 19 15:59:45" level=warning msg="[SSL] --> No SSL backup: Key not found"
time="Jun 19 15:59:45" level=info msg="Setting up Server"
time="Jun 19 15:59:45" level=info msg="Registering node."
We can’t seem to find a way to persist certificates for re-use across restarts of the tyk gateway. Is this possible and if yes, how?
Thank you in advance,
Alexander Houben