Home / How-to Guides
Edit
Report

Test certificate generation locally with ngrok and the ACME plugin

Uses: Kong Gateway decK
Related Documentation
All Gateway Documentation
All decK Documentation
Incompatible with
konnect
Tags
#security #certificates
Related Resources
Kong Gateway security
Minimum Version
Kong Gateway - 3.4
TL;DR

Use ngrok to create a domain, create a Service and Route that use your ngrok domain, and then enable the ACME plugin with config.domains set to your ngrok host. Generate a certificate with curl https://$NGROK_HOST:8443 --resolve $NGROK_HOST:8443:127.0.0.1 -vk.

Prerequisites

Kong Gateway running

This tutorial requires Kong Gateway Enterprise. If you don’t have Kong Gateway set up yet, you can use the quickstart script with an enterprise license to get an instance of Kong Gateway running almost instantly.

  1. Export your license to an environment variable:

     export KONG_LICENSE_DATA='LICENSE-CONTENTS-GO-HERE'

  2. Run the quickstart script:

     curl -Ls https://get.konghq.com/quickstart | bash -s -- -e KONG_LICENSE_DATA

    Once Kong Gateway is ready, you will see the following message:

     Kong Gateway Ready

decK

decK is a CLI tool for managing Kong Gateway declaratively with state files. To complete this tutorial you will first need to install decK.

ngrok

In this tutorial, we use ngrok to expose a local URL to the internet for local testing and development purposes. This isn’t a requirement for the ACME plugin itself.

  1. Install ngrok.
  2. Sign up for an ngrok account and find your ngrok authtoken.
  3. Install the authtoken and connect the ngrok agent to your account: 
    ngrok config add-authtoken <TOKEN>
  4. Run ngrok: 
    ngrok http localhost:8000
  5. Copy the Forwarding URL from the output and strip the https://.
  6. In a new terminal window, export it as a decK environment variable: 
    export DECK_NGROK_HOST='YOUR FORWARDING URL'

Configure a Service and Route

The ACME plugin requires a Route to access the proxy to trigger certificate generation.

Create a Gateway Service as well as a corresponding Route that points to your ngrok host:

echo '
_format_version: "3.0"
services:
  - name: acme-test
    url: https://httpbin.konghq.com
routes:
  - name: acme-route
    service:
      name: acme-test
    hosts:
    - "${{ env "DECK_NGROK_HOST" }}"
' | deck gateway apply -

Enable the plugin

You can now enable the ACME plugin globally with ngrok as your domain:

echo '
_format_version: "3.0"
plugins:
  - name: acme
    config:
      account_email: test@test.com
      tos_accepted: true
      domains:
      - "${{ env "DECK_NGROK_HOST" }}"
      storage: kong
' | deck gateway apply -

Create a certificate

Trigger certificate creation:

curl https://$DECK_NGROK_HOST:8443 --resolve $DECK_NGROK_HOST:8443:127.0.0.1 -vk

This might take a few seconds.

Validate

Validate that the certificate was correctly created:

echo q |openssl s_client -connect localhost -port 8443 -servername $DECK_NGROK_HOST 2>/dev/null |openssl x509 -text -noout

You should see the certificate in the output.

Cleanup

Destroy the Kong Gateway container

 
curl -Ls https://get.konghq.com/quickstart | bash -s -- -d
Something wrong?
Report an Issue | Edit this Page

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help

Ask in our Forum
Contact Support