My custom SSL certificate does not work

[ichuan258]

Discussed in #8019

^{Originally posted by ichuan258 November 1, 2021}
I create a service

curl -i -X POST http://100.73.66.21:32763/services \
>--data "name=app-list4" 
>--data "url=http://100.73.66.5:3401/api/objs/App
"
HTTP/1.1 201 Created

I create a certificate in Postman because using Curl is too cumbersome, it's created fine so I list it:

{
    "key": "-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQC3On/mFql4qCfgmuj1dTNo9VyAZ3ANVVcbvuKvnzU9mk1mbkMs\no0Se7BVzj1YLtn+dOlCDOFnEanYy7ynJ2ECJpgVLrc+IAGiiD+qwxU5q2sigNpiG\nJXyD/vZ17KmH4ibBlKIyIcdn0lrXc/XyTK7L58dfngJI5Q6WdKsGUBKqIwIDAQAB\nAoGBAIZiD1/viwgFPIoM04MDHFuEaP1738DHsIWW8Kchu2ic/Nt9TyMz86YjPHBu\n1grtJJdqJ5a2A5B9DIe6xQlW461RoTDGr2YeWSJjnrFJFJnF6YdzTvzmHRPRtYjp\nAW4yvpODixP/GHIfkHEBwCQHwz0pwxPlw+5HdQpV+lojj1jhAkEA71aJ7bYgAlwK\n282IkTNLKLe67eZaYsoTyB9VSdZNkWYb+Nm/NPSoQ/5XCdtBUkY3z7/qG6UqV9oy\nh0Ik8AJdmwJBAMP7+1i1ta3NA/To4fyT3CNCEZpBk/agMRjIpelGl+nvYvgGvpBs\n3aidlRmD/5R2QDF3Aj/4epPgXkl7ag1B8hkCQE2z3dHUKC477baQ0v65FXShucmU\n2NFr4+I78fen4MUMzpYLM52gtKRmhaGIknuAmowTNZFGHSoqh+8L1WwqiHMCQH+K\nBwq2zbF6Hp4Nw6sUKglD4KKrFHhFzU2cnePOTeQuJhDUisUAI8usKTB+px9dSO8n\nzG4G7PY46AMX7m8MQFkCQQDDj65GRVHnoYx7XRTYXBv/eNZYUvUywDQyV+cEH2st\nOft717FKUEdPt89axYw3MrBLQKblBBOboFye0iMapdKa\n-----END RSA PRIVATE KEY-----",
    "cert": "-----BEGIN CERTIFICATE-----\nMIICKTCCAZICCQCujvGgt4U6rTANBgkqhkiG9w0BAQsFADBZMQswCQYDVQQGEwJj\nbjELMAkGA1UECAwCc2gxCzAJBgNVBAcMAnNoMRIwEAYDVQQKDAlkaW5nY2xvdWQx\nDTALBgNVBAsMBHRlc3QxDTALBgNVBAMMBHJvb3QwHhcNMjEwNjE3MDk1MDU4WhcN\nMzEwNjE1MDk1MDU4WjBZMQswCQYDVQQGEwJjbjELMAkGA1UECAwCc2gxCzAJBgNV\nBAcMAnNoMRIwEAYDVQQKDAlkaW5nY2xvdWQxDTALBgNVBAsMBHRlc3QxDTALBgNV\nBAMMBHJvb3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALc6f+YWqXioJ+Ca\n6PV1M2j1XIBncA1VVxu+4q+fNT2aTWZuQyyjRJ7sFXOPVgu2f506UIM4WcRqdjLv\nKcnYQImmBUutz4gAaKIP6rDFTmrayKA2mIYlfIP+9nXsqYfiJsGUojIhx2fSWtdz\n9fJMrsvnx1+eAkjlDpZ0qwZQEqojAgMBAAEwDQYJKoZIhvcNAQELBQADgYEAreMT\nCLyQIqpao2MdrlhDJ87jOsVQvsnv8LuayerqFX8FuFeIOd3nvK5/sEfdGmzOPwpx\n/DKPWDDEchkQVrri3rvIZadSV3rl3DUGeV1l6YLVhRKL4YwmRKpEDsMaAimKrdt3\ngR3+AhpIhVTjTFIu6dq2bDz0QBuEJQVGp/joVlA=\n-----END CERTIFICATE-----",
    "tags":[
        "server"
    ],
    "snis":[
        "testkong.com"
    ]
}

Now I create a route

curl -i -X POST http://100.73.66.21:32763/routes \
>--data "service.id=000aefb3-d7e1-4865-afbf-0ccb0c9f1b17" \
>--data "paths[]=/app/list/test5" \
>--data "protocols[]=https" \
>--data "name=route-test5" \
>--data "hosts[]=testkong.com"

I make a https request

curl -v --insecure -X GET https://100.73.66.21:31966/app/list/test5 \
>-H "Host: testkong.com" 

Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 100.73.66.21:31966...
* TCP_NODELAY set
* Connected to 100.73.66.21 (100.73.66.21) port 31966 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Kong; OU=IT Department; CN=localhost
*  start date: Oct 28 06:50:29 2021 GMT
*  expire date: Jan 19 03:14:08 2038 GMT
*  issuer: C=US; ST=California; L=San Francisco; O=Kong; OU=IT Department; CN=localhost
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET /app/list/test5 HTTP/1.1
> Host: testkong.com
> User-Agent: curl/7.68.0
> Accept: */*
> NERV-USER: admin
> NERV-TOKEN: 5c593d19de9dea1dcf80c4887479e3a5
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Content-Type: application/json; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Cache-Control: no-cache
< Date: Mon, 01 Nov 2021 04:56:14 GMT
< X-Kong-Upstream-Latency: 10
< X-Kong-Proxy-Latency: 1
< Via: kong/2.6.0
{
  ...data,its ok
}

I see that it is using the default SSL certificate, why is my custom certificate not working?

[ichuan258]

Is there a problem with my certificate?

[ichuan258]

Ok i get it

[yincangshiwei]

Ok i get it

I also have this problem. The cn displayed by admin is normal, but the certificate displayed on the URL is localhost. How did you solve it.