-
Notifications
You must be signed in to change notification settings - Fork 129
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lose snis when updating certificate #356
Comments
Can you confirm your Kong and decK versions, and provide an example file (with a dummy certificate) that demonstrates the issue? I was not able to replicate this:
|
Ah, you have to modify it, not just run sync repeatedly. Current workaround is to sync again after syncing the modified certificate: this will detect the missing SNI and re-add it. This happens because we remove SNIs from certificate objects read from a state: and treat the SNIs as separate objects. The PUT requests that we use to update certificates, however, then include an empty SNIs array, and Kong actually deletes any existing SNIs when you do this. There are two approaches to handle this:
|
Beside of the issues (may happen) that you mentioned. Currently, I don't want to rebuild decK. Thanks for the clarification! |
To clarify, we intend to fix the issue with one or the other solution and just haven't decided. |
When decK must update a certificate, retrieve the current certificate's set of SNIs, convert them to strings, and set these on the updated certificate. Certificate and SNI objects have a special relationship. A PUT request (which we use for updates) with a certificate that contains no SNI children will in fact delete any existing SNI objects associated with that certificate, rather than leaving them as-is. Because decK considers SNIs separate objects and strips SNI child objects from certificate objects, updates to other certificate fields will PUT a certificate with no SNIs and inadvertently delete existing SNIs. Not stripping SNIs from certificate objects in general presents its own issues, as decK will attempt to operate on both objects and generate conflicts. To work around these issues, this change sets SNIs on certificates ONLY during update requests using the current certificate's SNI list. If there are changes to the SNIs, subsequent actions on the SNI objects will handle those. Fix #356
Alright, further testing on the include SNIs option indicates that it causes a bunch of conflicts when performing operations that do modify SNIs. The PATCH option is complicated and requires changes to go-kong to completely work correctly, so instead, new option 3: #386 |
When decK must update a certificate, retrieve the current certificate's set of SNIs, convert them to strings, and set these on the updated certificate. Certificate and SNI objects have a special relationship. A PUT request (which we use for updates) with a certificate that contains no SNI children will in fact delete any existing SNI objects associated with that certificate, rather than leaving them as-is. Because decK considers SNIs separate objects and strips SNI child objects from certificate objects, updates to other certificate fields will PUT a certificate with no SNIs and inadvertently delete existing SNIs. Not stripping SNIs from certificate objects in general presents its own issues, as decK will attempt to operate on both objects and generate conflicts. To work around these issues, this change sets SNIs on certificates ONLY during update requests using the current certificate's SNI list. If there are changes to the SNIs, subsequent actions on the SNI objects will handle those. Fix #356
When decK must update a certificate, retrieve the current certificate's set of SNIs, convert them to strings, and set these on the updated certificate. Certificate and SNI objects have a special relationship. A PUT request (which we use for updates) with a certificate that contains no SNI children will in fact delete any existing SNI objects associated with that certificate, rather than leaving them as-is. Because decK considers SNIs separate objects and strips SNI child objects from certificate objects, updates to other certificate fields will PUT a certificate with no SNIs and inadvertently delete existing SNIs. Not stripping SNIs from certificate objects in general presents its own issues, as decK will attempt to operate on both objects and generate conflicts. To work around these issues, this change sets SNIs on certificates ONLY during update requests using the current certificate's SNI list. If there are changes to the SNIs, subsequent actions on the SNI objects will handle those. Fix #356
When decK must update a certificate, retrieve the current certificate's set of SNIs, convert them to strings, and set these on the updated certificate. Certificate and SNI objects have a special relationship. A PUT request (which we use for updates) with a certificate that contains no SNI children will in fact delete any existing SNI objects associated with that certificate, rather than leaving them as-is. Because decK considers SNIs separate objects and strips SNI child objects from certificate objects, updates to other certificate fields will PUT a certificate with no SNIs and inadvertently delete existing SNIs. Not stripping SNIs from certificate objects in general presents its own issues, as decK will attempt to operate on both objects and generate conflicts. To work around these issues, this change sets SNIs on certificates ONLY during update requests using the current certificate's SNI list. If there are changes to the SNIs, subsequent actions on the SNI objects will handle those. Fix #356
When decK must update a certificate, retrieve the current certificate's set of SNIs, convert them to strings, and set these on the updated certificate. Certificate and SNI objects have a special relationship. A PUT request (which we use for updates) with a certificate that contains no SNI children will in fact delete any existing SNI objects associated with that certificate, rather than leaving them as-is. Because decK considers SNIs separate objects and strips SNI child objects from certificate objects, updates to other certificate fields will PUT a certificate with no SNIs and inadvertently delete existing SNIs. Not stripping SNIs from certificate objects in general presents its own issues, as decK will attempt to operate on both objects and generate conflicts. To work around these issues, this change sets SNIs on certificates ONLY during update requests using the current certificate's SNI list. If there are changes to the SNIs, subsequent actions on the SNI objects will handle those. Fix #356
I have a certificate with a sni (*.example.xzy):
But it loses snis when I update certificate (for renewal):
I use the commands below to update certificate:
Here is my Kong Declarative configuration for certificate:
What I missed? Thanks in advance!
The text was updated successfully, but these errors were encountered: