istio: TLSV1_ALERT_UNKNOWN_CA for some deployments in cluster and Gateway with tlsMode SIMPLE
Bug description We are migrating istio from 1.4.5 to 1.7.3 version, we recreated our cluster with istio 1.7.3 using istioctl. We started experiencing 503 errors for deployments with error TLSV1_ALERT_UNKNOWN_CA in ingressgateway pods. We are using Gateway with tlsMode: SIMPLE and ideally it shouldn’t fail with CA error. Also, out of 5 deployments, 2 deployments started working after a day without any change to cluster but other deployments , request is terminating with TLSV1_ALERT_UNKNOWN_CA in in ingressgateway pods. And we just created deployments with different name but using same configuration for all deployments.
Complete error in istio-ingressgateway: “GET /ping HTTP/2” 503 UF,URX “-” “TLS error: 268436504:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA” 0 91 48 - “XX.XX.XX.XX” “curl/7.54.0” “487df73f-2d2c-4f3d-a724-d112039bsds3” “keerthg-test-card-5-v1.XX.XX.XX.com” “XX.XX.XX.XX:8200” outbound|8080|v1|keerthg-test-card-5-v1.default.svc.cluster.local - XX.XX.XX.XX:8443 XX.XX.XX.XX:47172 keerthg-test-card-5-v1.XX.XX.XX.com -
IngressGateway for HTTPS
apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: httpsingressgateway # use FQDN name when referencing from other namespaces: httpsingressgateway.istio-system.svc.cluster.local spec: selector: istio: ingressgateway # use istio default ingress gateway servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: ingressgateway-certs
hosts:
- “*”
[ ] Docs [X ] Installation [ ] Networking [ ] Performance and Scalability [ ] Extensions and Telemetry [ ] Security [ X] Test and Release [X ] User Experience [ X] Developer Infrastructure
Expected behavior
- We should not see 503 errors and face TLSV1_ALERT_UNKNOWN_CA for gateway using tlsMode: SIMPLE. 8 It’s scary that requests to similar deployments is working and others not.
Steps to reproduce the bug Error is not consistent and provided Gateway config , istiocrl command etc. in description
Version (include the output of istioctl version --remote
and kubectl version --short
and helm version
if you used Helm)
$ kubectl version --short
Client Version: v1.17.0
Server Version: v1.18.9-eks-d1db3c
Istio: 1.7.3
How was Istio installed?
istioctl command is used to generate Istio config:
istioctl manifest generate --namespace istio-system --set meshConfig.disablePolicyChecks=true --set meshConfig.enableTracing=false --set meshConfig.enableAutoMtls=true --set meshConfig.accessLogFile=/dev/stdout --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY --set meshConfig.enablePrometheusMerge=false --set values.global.proxy.autoInject=disabled --set values.global.proxy.resources.requests.cpu=100m --set values.global.defaultResources.requests.cpu=100m --set components.pilot.k8s.hpaSpec.minReplicas=5 --set components.pilot.k8s.hpaSpec.maxReplicas=50 --set components.ingressGateways.NodePort > istio-1.7.3.yaml
Environment where bug was observed (cloud vendor, OS, etc) AWS EKS
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 21 (10 by maintainers)
For @2ZZ , this is fixed by https://github.com/istio/istio/pull/28273. May be different issue for @keerthig9 . Can verify by looking for anything with
file-root
in the config dump (at the bottom)