Hi All,
I was trying Apigee hybrid installation on GCP.
Installation is all success and I can see the proxy is been deployed to the runtime pods for the specific environment.
But I am unable to access the API through the Istio ingress gateway for APIs. I am getting below SSL error. SSL certificate pairs have been generated using lets-encrypt commands which were given in the documentation.
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api-qa.mydomain.in:443
Here is my configuration file:
gcp: projectID: gcp-project-id # Apigee org name. org: apigee-demo-trial-ou47h # Kubernetes cluster name details k8sCluster: name: apigee-demo-cluster region: "us-east1" virtualhosts: - name: default hostAliases: - "api-qa.mydomain.in" # either SSLSecret or the paths sslSecret: "qa-sslsecret" # Certificate for the domain name; this can be self signed. sslCertPath: /certs/fullchain.pem # Private key for the domain name; this can be self signed. sslKeyPath: ./certs/privkey.pem # optional routingRules: - env: qa paths: - /myproxy # optional, connect timeout in seconds connectTimeout: 57 envs: # Apigee environment name. - name: qa # Service accounts for sync and UDCA. serviceAccountPaths: synchronizer: ./service-accounts/gcp-project-id-apigee-synchronizer.json udca: ./service-accounts/gcp-project-id-apigee-udca.json
Solved! Go to Solution.
a mistake in my override file only. Its working after correcting the file.
Either use K8S secret or use SSL certificate pair path.
Corrected contents:
gcp: projectID: gcp-project-id # Apigee org name. org: apigee-demo-trial-ou47h # Kubernetes cluster name details k8sCluster: name: apigee-demo-cluster region: "us-east1" virtualhosts: - name: default hostAliases: - "api-qa.mydomain.in" # Certificate for the domain name; this can be self signed. sslCertPath: /certs/fullchain.pem # Private key for the domain name; this can be self signed. sslKeyPath: ./certs/privkey.pem # optional routingRules: - env: qa paths: - /myproxy # optional, connect timeout in seconds connectTimeout: 57 envs: # Apigee environment name. - name: qa # Service accounts for sync and UDCA. serviceAccountPaths: synchronizer: ./service-accounts/gcp-project-id-apigee-synchronizer.json udca: ./service-accounts/gcp-project-id-apigee-udca.json
The first thing to check is that your domain (api-qa.mydomain.in) resolves to the external IP address on your GKE cluster (currently 199.59.242.153 - reverse resolves to bodis.com, not googleusercontent.com).
The error that is reported indicates that nothing is listening on that address.
In fact, I took the time to scan the host, and I did not see that any services are being hosted on that IP address.
a mistake in my override file only. Its working after correcting the file.
Either use K8S secret or use SSL certificate pair path.
Corrected contents:
gcp: projectID: gcp-project-id # Apigee org name. org: apigee-demo-trial-ou47h # Kubernetes cluster name details k8sCluster: name: apigee-demo-cluster region: "us-east1" virtualhosts: - name: default hostAliases: - "api-qa.mydomain.in" # Certificate for the domain name; this can be self signed. sslCertPath: /certs/fullchain.pem # Private key for the domain name; this can be self signed. sslKeyPath: ./certs/privkey.pem # optional routingRules: - env: qa paths: - /myproxy # optional, connect timeout in seconds connectTimeout: 57 envs: # Apigee environment name. - name: qa # Service accounts for sync and UDCA. serviceAccountPaths: synchronizer: ./service-accounts/gcp-project-id-apigee-synchronizer.json udca: ./service-accounts/gcp-project-id-apigee-udca.json