'Kraken API Gateway Container Crashes When Adding TLS Support

My Kraken (version 2) deployment crashes any time I add the TLS key to the config file.

Step 1: I generated a public and private key pair using OpenSSL.

> openssl genrsa -out private-key.pem 4096
> openssl rsa -in private-key.pem -pubout -out public-key.pem

Step 2: I launched KrakenD inside a container, with the following volume mounts: /etc/krakend to /run/desktop/mnt/host/c/apitest/conf

The container does not crash.

Step 3: I shut down the container and add the following to my kraken config file.

"tls": {
   "private_key": "/etc/krakend/private-key.pem",
   "public_key": "/etc/krakend/public-key.pem"
}

When I relaunch my container, the container crashes. I have checked that the container can read from the location (it's reading the config file, after all). I validated my JSON file using JSONLint.com, and it's valid.

kubectl logs... shows this error: "2022/02/15 16:06:51 ERROR: [tls: failed to find "CERTIFICATE" PEM block in certificate input after skipping PEM blocks of the following types: [PUBLIC KEY]]"

Why is it crashing? I don't know how to debug it from here.

Should I be using the private key or should I be using a self-signed certificate generated from the private key?

opensslkrakend


Solution 1:[1]

Try to generate the files with the following command and do not manipulate them after generation:

openssl req -newkey rsa:2048 -new -nodes -x509 -days 365 -out cert.pem -keyout key.pem -subj "/C=US/ST=California/L=Mountain View/O=Your Organization/OU=Your Unit/CN=localhost\"

After the command, you can copy the files to your image using a Dockerfile:

FROM devopsfaith/krakend

COPY krakend.json .
COPY key.pem .
COPY cert.pem .

And build it, e.g.:

docker build -t test .

If you just run the image, you'll see the permissions error in the log:

? docker run test                
Parsing configuration file: /etc/krakend/krakend.json
....
2022/02/16 18:54:38  ERROR: [open ./key.pem: permission denied]
2022/02/16 18:54:38  INFO: [Router execution ended]

This is because krakend uses the krakend user in runtime (not root), and if you just copy the files in the /etc/krakend directory it doesn't have access to it.

For instance, if you run docker using the root user the problem would go away:

docker run -p "443:8080" --user root test

You could also copy the files in /tmp and you would not need the root user at all. There are more ways to fix this, and these are a few examples.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions

Solving sslv3 alert handshake failure when trying to use a client certificate

make fails to build squid with openssl (deprecated functions used)

Create PKCS#1 formatted RSA key using OpenSSL v3.0.0

Mongodb SSL - unable to get issuer certificate

Convert p12 APNS certificate to base64 string

SSL Error Certificate subject name does not match target host for github.com

How to get configuration.h from configuration.h.in in OpenSSL?

Error opening CA private key when Create the intermediate pair

Create compatible Java "RSA" signature using a PKCS#8 encoded private key

How do I use a X509 certificate with PyCrypto?

gem eventmachine fatal error: 'openssl/ssl.h' file not found

SSL error unsafe legacy renegotiation disabled

PHP Startup: Unable to load dynamic library 'openssl' in Ubuntu

builder error: 'openssl/rand.h' not found [Windows 10]

Building Python 3.7.1 - SSL module failed