2

So, we're working on a migration to istio for our clusters. Right now all our backend micro services talk over GRPC(grpc-node) with TLS enabled with our own certs. And it works great. However, whenever we bring the istio sidecar into play we get this error:

9 ssl_transport_security.cc:1245] Handshake failed with fatal error SSL_ERROR_SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number.

Which means of course things don't connect and the service fail.

It makes me think that the envoy proxy isn't handling our certs correctly and we should be using their mTLS configuration, but then I don't know how to supply those certs(or find them) to my gRPC clients/servers. Any ideas are welcome.

LibertyBeta
  • 75
  • 9
  • I think you can troubleshoot using following link. https://istio.io/docs/tasks/security/mutual-tls/. in first sight it looks like wrong ssl but you need to verify first what is the exact problem ssl or mutual tls or grpc – Shree Prakash Oct 12 '19 at 15:11
  • So let me double check my understanding: with mLTS systems I need to configure the mLTS in istio? How do I get certs? Seems od I would need to connect to the proxy first for my own mLTS connection. – LibertyBeta Oct 14 '19 at 14:05
  • "Istio automatically installs necessary keys and certificates for mutual TLS authentication in all sidecar containers" source:- https://istio.io/docs/tasks/security/mutual-tls/ – Shree Prakash Oct 14 '19 at 14:24
  • Could you provide information from where to where are you migrating your clusters? Between clouds? – PjoterS Oct 14 '19 at 14:24
  • @ShreePrakash Those certs are for the sidecar, they aren't mounted to other running containers in the pod as far as I know. – LibertyBeta Oct 15 '19 at 15:57
  • @PjoterS Migrating from not having istio in GCP to having istio. – LibertyBeta Oct 15 '19 at 15:58
  • I think that this issue is caused because you don't have correct certificates inside the pods from where your are creating outbound connections. What kind of requests are you doing? Within the mesh or outside. Are thoses svc defined? Requests can be found at: https://istio.io/docs/tasks/security/mutual-tls/#verify-requests For traffic policies you have to check this docs: https://istio.io/docs/tasks/security/authn-policy/ Can you connect using HTTP? Also this thread might be helpful: https://github.com/srinandan/istio-workshop/blob/master/README.md#testing-the-authentication-setup – PjoterS Oct 25 '19 at 10:46

1 Answers1

2

Hi I have encountered the same error, while triggering API created for Hyperledger Fabric Image Version 1.4.4, I was having NODE-JS 12+ version installed in my system, once I downgraded the NODE-JS version to 8.20 version issues seems to be resolved.

Astra Hacker
  • 21
  • 2