Known Issues
The document is a summary of the known issues in NGINX Management Suite API Connectivity Manager. Fixed issues are removed after 45 days.
We recommend upgrading to the latest version of API Connectivity Manager to take advantage of new features, improvements, and bug fixes.
1.0.0
DEVPORTAL_OPTS
in /etc/{default,sysconfig}/nginx-devportal
does not work if value has multiple words
Issue ID | Status |
---|---|
36040 | Open |
Description
Passing command-line arguments to the nginx-devportal
service on the Dev Portal backend server using the DEVPORTAL_OPTS
variable in /etc/{default,sysconfig}/nginx-devportal
doesn’t work if the value has more than one word in it; the service fails to start. The entire value is sent as a single command-line argument by systemd
instead of being parsed into multiple arguments.
You can view the log errors by running the following command:
sudo journalctl -fu nginx-devportal
Workaround
Edit /etc/nginx-devportal/nginx-devportal.conf
to configure your desired options instead of passing them as command-line arguments.
PATCH on API Proxies endpoint is not implemented
Issue ID | Status |
---|---|
35771 | Open |
Description
The PATCH
method for API proxies is listed in the API spec; however, this method hasn’t been implemented yet.
Workaround
Use PUT
instead for API proxies.
Credentials endpoint is disabled by default
Issue ID | Status |
---|---|
35630 | Open |
Description
For security reasons, the Credentials endpoint is disabled by default. To use the Developer Portal credentials workflow, you need to make configuration changes on the ACM host to enable the Credentials endpoint. Optionally, communication between ACM and the Developer Portal can be secured by providing certificates.
Workaround
To enable the Credentials endpoint on the ACM host:
-
Open an SSH connection into the ACM host and log in.
-
Enable the Credentials endpoint:
In
/etc/nms/nginx/locations/nms-acm.conf
, uncomment the location block.# Deployment of resource credentials from the devportal # Uncomment this block when using devportal. Authentication is disabled # for this location. This location block will mutually # verify the client trying to access the credentials API. location = /api/v1/devportal/credentials { # OIDC authentication (uncomment to disable) #auth_jwt off; auth_basic off; error_page 401 /401_certs.json; if ($ssl_client_verify != SUCCESS) { return 401; } proxy_pass http://apim-service/api/v1/devportal/credentials; }
-
Save the changes.
-
Reload NGINX on the ACM host:
nginx -s reload
Unable to delete an environment that is stuck in a Configuring state.
Issue ID | Status |
---|---|
35546 | Open |
Description
In the web interface, after deleting all of the proxy clusters is an environment that’s in a FAIL
state, the environment may transition to a CONFIGURING
state and cannot be deleted.
Workaround
Add back the deleted proxy clusters using the web interface. The environment will transition to a Fail
state. At this point, you can use the API to delete the proxy by sending a DELETE
request to:
https://<NMS-FQDN>/api/acm/v1/infrastructure/workspaces/<infra-workspace-name>/environments/<environmentname>
Features in the web interface are not displayed after uploading license
Issue ID | Status |
---|---|
35525 | Open |
Description
After uploading a valid ACM license, some features in the web interface are not displayed or remain restricted.
Workaround
Refresh the browser to load the updated permissions and show the missing features.
Cannot add, remove, or edit proxy clusters from an environment that has a published API proxy
Issue ID | Status |
---|---|
35463 | Open |
Description
When an environment has a published API proxy associated with it, existing proxy clusters cannot be changed. Additional proxy clusters cannot be added or removed.
Workaround
Unpublish the API proxy before adding, removing, or editing additional proxy clusters.
Environment is in a premature Success state even though all proxy clusters may not be on-boarded
Issue ID | Status |
---|---|
35430 | Open |
Description
In an environment where some, but not all, proxy clusters are on-boarded (that is, the NGINX Agent hasn’t been installed on the proxy cluster), the environment may report an invalid Success
state.
Workaround
Install the NGINX Agent on the proxy cluster, then resubmit the environment.
JWT Assertion policy accepts an empty string value for tokenName property
Issue ID | Status |
---|---|
35419 | Open |
Description
The JWT Assertion policy accepts an empty value for the tokenName
property, which may cause unexpected policy behavior.
Workaround
Include a valid tokenName
value of at least three characters when adding the policy.
Installing NGINX Agent on Ubuntu 22.04 LTS fails with 404 Not Found
error
Issue ID | Status |
---|---|
35339 | Open |
Description
When installing the NGINX Agent on Ubuntu 22.04 LTS, the installation script fails with a 404 Not Found
error similar to the following:
404 Not found [IP: <IP address>]
Reading package lists...
E: The repository 'https://192.0.2.0/packages-repository/deb/ubuntu jammy Release' does not have a Release file.
E: The repository 'https://pkgs.nginx.com/app-protect/ubuntu jammy Release' does not have a Release file.
E: The repository 'https://pkgs.nginx.com/app-protect-security-updates/ubuntu jammy Release' does not have a Release file.
Workaround
Edit the NGINX Agent install script to use the codename focal
for Ubuntu 20.04.
-
Download the installation script:
curl -k https://<NGINX-INSTANCE-MANAGER-FQDN>/install/nginx-agent > install.sh
-
Open the
install.sh
file for editing. -
Make the following changes:
On lines 256-258, change the following:
codename=$(cat /etc/*-release | grep '^DISTRIB_CODENAME' | sed 's/^[^=]*=\([^=]*\)/\1/' | tr '[:upper:]' '[:lower:]')
to:
codename=focal
—OR—
Alternatively, on line 454, change the following:
deb ${PACKAGES_URL}/deb/${os}/ ${codename} agent
to:
deb ${PACKAGES_URL}/deb/${os}/ focal agent
-
Save the changes.
-
Run the
install.sh
script.
OIDC policy cannot be applied on a shared proxy cluster
Issue ID | Status |
---|---|
35337 | Open |
Description
If the same proxy cluster is used for both the Developer Portal and API Gateway, the OIDC Policy is not applied.
Workaround
Within an environment, use separate proxy clusters for the Developer Portal and API Gateway when applying an OIDC policy.
OpenID Connect Discovery is not implemented
Issue ID | Status |
---|---|
35186 | Open |
Description
The implementation to automatically fetch all the metadata from IDP’s well-known endpoint is incomplete. Though the option to specify the well-known endpoint exists in the OIDC policy, it is not functional. These endpoints have to be explicitly provided.
Workaround
Provide all the relevant endpoints – such as Keys, Authorize, Token, Logoff, and Userinfo – while configuring OIDC policy.
Error codes are not configurable for the OIDC policy
Issue ID | Status |
---|---|
34900 | Open |
Description
Adding custom error codes in the OIDC policy causes a validation error similar to the following example:
duplicate location \"/_oidc_err_85de2f20_default_411\
Workaround
Use the default error codes included in the OIDC policy.
No validation when conflicting policies are added
Issue ID | Status |
---|---|
34531 | Open |
Description
When securing the API Proxy with policies like basic authentication or APIKey authentication, the user is not warned if a duplicate or conflicting policy is already added. Conflicting policies are not validated.
Workaround
Secure the API proxy with only one policy.
Multiple hostnames on a single proxy cluster are not supported
Issue ID | Status |
---|---|
34457 | Open |
Description
The environment API allows an array of hostnames; however, this capability is not fully implemented.
Workaround
Use a single hostname per proxy cluster.
CORS policy doesn’t support proxying preflight requests to the backend when combined with an authentication policy
Issue ID | Status |
---|---|
34449 | Open |
Description
On an API Proxy with an authentication policy, applying a CORS policy with preflightContinue=true
is not supported.
Workaround
Apply CORS policy and set preflightContinue=false
.