SSL issues with new apicast

[4integration]

I just upgraded to latest APIcast in Docker using this image
https://access.redhat.com/containers/?tab=overview#/registry.access.redhat.com/3scale-amp22/apicast-gateway

To configure SSL I have followed this example
https://github.com/3scale/apicast/tree/master/examples/add-ssl
but with the new version it have been changed and the directory /opt/app-root/src/ doesn't exist anymore in the image.

What is the new directory to be mapped?

Starting with docker-compose

version: '2'

services:
    gateway:
        container_name: production-qa-apicast-oauth2
        image: registry.access.redhat.com/3scale-amp22/apicast-gateway:1.8
        env_file: .env
        restart: always
        ports:
            - 90:8090
            - 443:8443
        volumes:
            - /etc/apicast.d/production:/opt/app-root/src/apicast.d:ro
            - /etc/pki/tls/certs:/opt/app-root/src/conf/cert:ro
        network_mode: "bridge"
        depends_on:
            - redis

    redis:
        container_name: production-qa-redis
        image: redis
        restart: always
        ports:
            - 6379:6379
        network_mode: "bridge"

and this config

listen 8443 ssl;
ssl_certificate cert/star.domain.com2015-2019.crt;
ssl_certificate_key cert/star.domain.com2015-2019.key;

[4integration]

Ok, I missed that the config/environment variables have changed.
Now I have the below set

APICAST_HTTPS_PORT=8443
APICAST_HTTPS_CERTIFICATE=/opt/app-root/src/conf/cert/star.domain.com2015-2019.crt
APICAST_HTTPS_CERTIFICATE_KEY=/opt/app-root/src/conf/cert/star.domain.com2015-2019.key

Seems to start fine now but does not respond to:
curl -v https://gw.domain.com/_threescale-new/healthz
or
telnet gw.domain.com 443

Running cURL from inside the Docker container

bash-4.2$ curl -v https://gw.domain.com/_threescale/healthz
* About to connect() to gw.domain.com port 443 (#0)
*   Trying 10.57.49.13...
* Connected to gw.domain.com (10.57.49.13) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -5938 (PR_END_OF_FILE_ERROR)
* Encountered end of file
* Closing connection 0
curl: (35) Encountered end of file

Any ideas?

[mikz]

@4integration just opened a PR fixing the example using the builtin HTTPS functionality: #789

[mikz]

@4integration and to answer your question, it can be any path. Also it is almost always better to use absolute paths as it is pretty explicit where they point to.

[4integration]

Thanks @mikz

Do you have any idea why apicast doesn't listen on 8443?

Any hints to debug this?

[mikz]

@4integration I don't know. Can you try to follow the example in #789 ?

[4integration]

As mentioned in #789 it didn't work and seems to be differences between Red Hat repo and quay.io repo

[mikz]

@4integration is there anything we can do ?

3.2-stable docs are in a branch: https://github.com/3scale/apicast/tree/3.2-stable/examples/add-ssl

Plus there has been one slight change in master that we can incorporate to that branch if it works.
c89d8b3#diff-47a5ad17c2954ca3c2b15f63688d11a2

[4integration]

@mikz in #789 I got info from @mayorova that Red Hat official APIcast doesn't have the additions with APICAST_HTTPS_*
Thanks for your help