istio: TLSV1_ALERT_UNKNOWN_CA for some deployments in cluster and Gateway with tlsMode SIMPLE

Bug description We are migrating istio from 1.4.5 to 1.7.3 version, we recreated our cluster with istio 1.7.3 using istioctl. We started experiencing 503 errors for deployments with error TLSV1_ALERT_UNKNOWN_CA in ingressgateway pods. We are using Gateway with tlsMode: SIMPLE and ideally it shouldn’t fail with CA error. Also, out of 5 deployments, 2 deployments started working after a day without any change to cluster but other deployments , request is terminating with TLSV1_ALERT_UNKNOWN_CA in in ingressgateway pods. And we just created deployments with different name but using same configuration for all deployments.

Complete error in istio-ingressgateway: “GET /ping HTTP/2” 503 UF,URX “-” “TLS error: 268436504:SSL routines:OPENSSL_internal:TLSV1_ALERT_UNKNOWN_CA” 0 91 48 - “XX.XX.XX.XX” “curl/7.54.0” “487df73f-2d2c-4f3d-a724-d112039bsds3” “keerthg-test-card-5-v1.XX.XX.XX.com” “XX.XX.XX.XX:8200” outbound|8080|v1|keerthg-test-card-5-v1.default.svc.cluster.local - XX.XX.XX.XX:8443 XX.XX.XX.XX:47172 keerthg-test-card-5-v1.XX.XX.XX.com -

IngressGateway for HTTPS

apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: httpsingressgateway # use FQDN name when referencing from other namespaces: httpsingressgateway.istio-system.svc.cluster.local spec: selector: istio: ingressgateway # use istio default ingress gateway servers:

  • port: number: 443 name: https protocol: HTTPS tls: mode: SIMPLE credentialName: ingressgateway-certs hosts:
    • “*”

[ ] Docs [X ] Installation [ ] Networking [ ] Performance and Scalability [ ] Extensions and Telemetry [ ] Security [ X] Test and Release [X ] User Experience [ X] Developer Infrastructure

Expected behavior

  • We should not see 503 errors and face TLSV1_ALERT_UNKNOWN_CA for gateway using tlsMode: SIMPLE. 8 It’s scary that requests to similar deployments is working and others not.

Steps to reproduce the bug Error is not consistent and provided Gateway config , istiocrl command etc. in description

Version (include the output of istioctl version --remote and kubectl version --short and helm version if you used Helm) $ kubectl version --short Client Version: v1.17.0 Server Version: v1.18.9-eks-d1db3c

Istio: 1.7.3

How was Istio installed?

istioctl command is used to generate Istio config:

istioctl manifest generate --namespace istio-system --set meshConfig.disablePolicyChecks=true --set meshConfig.enableTracing=false --set meshConfig.enableAutoMtls=true --set meshConfig.accessLogFile=/dev/stdout --set meshConfig.outboundTrafficPolicy.mode=REGISTRY_ONLY --set meshConfig.enablePrometheusMerge=false --set values.global.proxy.autoInject=disabled --set values.global.proxy.resources.requests.cpu=100m --set values.global.defaultResources.requests.cpu=100m --set components.pilot.k8s.hpaSpec.minReplicas=5 --set components.pilot.k8s.hpaSpec.maxReplicas=50 --set components.ingressGateways.NodePort > istio-1.7.3.yaml

Environment where bug was observed (cloud vendor, OS, etc) AWS EKS

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 21 (10 by maintainers)

Most upvoted comments

For @2ZZ , this is fixed by https://github.com/istio/istio/pull/28273. May be different issue for @keerthig9 . Can verify by looking for anything with file-root in the config dump (at the bottom)

+1
howardjohn on Nov 3, 2020
Read more comments on GitHub
← istio: tls.httpsRedirect doesn't work in Gateway resources
istio: Tracing regression in 1.5.x - nested traces are intermittently incomplete →