2

I have using Envoy for grpc-web and grpc service, but it is always getting SSL error. envoy version: 98c1c9e9a40804b93b074badad1cdf284b47d58b/1.18.3/clean-getenvoy-b76c773-envoy/RELEASE/BoringSSL

stating command : sudo envoy -c testing-aa-envoy.yaml --component-log-level upstream:debug,connection:trace

As per Envoy staing log, I can see ssl certificate is taken correctly, below i menshon stating log, three can see TLS added into cluster, and backend application is running with non-ssl

 adding TLS cluster service-http
 membership update for TLS cluster service-http added 1 removed 0
transport socket match, socket default selected for host with address 112.161.112.111:8081
 DNS refresh rate reset for 112.161.112.111, refresh rate 5000 ms

And Error is getting below :-

 socket event: 3
 [C0] write ready
transport_sockets/tls/ssl_handshaker.cc:237] [C0] ssl error occurred while read: SSL
external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:219] [C0] TLS error: 268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER
] [C0] closing socket: 0
[C0] TLS error: 268435703:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER
[external/envoy/source/common/network/connection_impl.cc:410] [C0] raising connection event 0

Envoy conf |

static_resources:
  listeners:
  - address:
      socket_address:
        address: 0.0.0.0
        port_value: 443
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          codec_type: AUTO
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: testing.domain.com
              domains:
              - "testing.domain.com"
              routes:
              - match:
                  prefix: "/"
                route:
                  cluster: service-http
              cors:
                allow_origin_string_match:
                - prefix: "testing.domain.com"
                allow_methods: GET, PUT, DELETE, POST, OPTIONS
                allow_headers: keep-alive,user-agent,cache-control,content-type,content-transfer-encoding,custom-header-1,x-accept-content-transfer-encoding,x-accept-response-streaming,x-user-agent,x-grpc-web,grpc-timeout,content-type,channel,api-key,lang
                max_age: "1728000"
                expose_headers: custom-header-1,grpc-status,grpc-message,grpc-status-details-bin,authorization
          http_filters:
          - name: envoy.filters.http.grpc_web
            # This line is optional, but adds clarity to the configuration.
            typed_config:
              # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/filters/http/grpc_web/v3/grpc_web.proto
              "@type": type.googleapis.com/envoy.extensions.filters.http.grpc_web.v3.GrpcWeb

          - name: envoy.filters.http.cors
            typed_config:
              # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/filters/http/cors/v3/cors.proto
              "@type": type.googleapis.com/envoy.extensions.filters.http.cors.v3.Cors

          - name: envoy.filters.http.grpc_json_transcoder
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.grpc_json_transcoder.v3.GrpcJsonTranscoder
              proto_descriptor: "/home/ubuntu/envoy/sync.pb"
              ignore_unknown_query_parameters: true
              services:
                - "com.tk.system.sync.Synchronizer"
              print_options:
                add_whitespace: true
                always_print_primitive_fields: true
                always_print_enums_as_ints: true
                preserve_proto_field_names: true

          - name: envoy.filters.http.router
            typed_config:
              # https://www.envoyproxy.io/docs/envoy/v1.15.0/api-v3/extensions/filters/http/router/v3/router.proto
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

      transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
          common_tls_context:
            tls_certificates:
            # The following self-signed certificate pair is generated using:
            # $ openssl req -x509 -newkey rsa:2048 -keyout a/front-proxy-key.pem -out  a/front-proxy-crt.pem -days 3650 -nodes -subj '/CN=front-envoy'
            #
            # Instead of feeding it as an inline_string, certificate pair can also be fed to Envoy
            # via filename. Reference: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/base.proto#config-core-v3-datasource.
            #
            # Or in a dynamic configuration scenario, certificate pair can be fetched remotely via
            # Secret Discovery Service (SDS). Reference: https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret.
            - certificate_chain:
                inline_string: |
                  -----BEGIN CERTIFICATE-----
                  MIIFyTCCBLGgAwIBAgIRALSd5cAbClvwTierhXPozw4wDQYJKoZIhvcNAQELBQAw
                  gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
                  RVWrwn8TdJT3qwmnQb2r30W6Abz//BcomAamSRpxK01CEzQm5mukeeL1kvp4
                  -----END CERTIFICATE-----
                  -----BEGIN CERTIFICATE-----
                  MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
                  LcmsJWTyXnW0OMGuf1pGg+pRyrbxmRE1a6Vqe8YAsOf4vmSyrcjC8azjUeqkk+B5
                  yOGBQMkKW+ESPMFgKuOXwIlCypTPRpgSabuY0MLTDXJLR27lk8QyKGOHQ+SwMj4K
                  00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
                  -----END CERTIFICATE-----
                  -----BEGIN CERTIFICATE-----
                  MIIFyTCCBLGgAwIBAgIRALSd5cAdgdbClvwTierhXPozw4wDQYJKoZIhvcNAQELi
                  gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO
                  RVWrwn8TdJT3qwmnQb2r30W6Abz//BcomAamSRpxK01CEzQm5mukeeL1kvp4
                  -----END CERTIFICATE-----
              private_key:
                inline_string: |
                  -----BEGIN RSA PRIVATE KEY-----
                  MIIEpQIBAAKCAQEAvRWWc/Wg8uLpvNGVJ3NNv7dad6lO99lMn6K5mxjAVkRjBh1K
                  oCb95/u6QBIjz+wMkAb8qZf3bttIAWYuSE/d+lChwTJa4iRQEGxMpIIAypDadfnO
                  YAp2fPpfba3vIDdW3Hg4puOKKrOFEZCGMJUzgKF1EAab1n9zGF44NGU=
                  -----END RSA PRIVATE KEY-----
  clusters:
  - name: service-http
    connect_timeout: 0.25s
    type: STRICT_DNS
    lb_policy: ROUND_ROBIN
    load_assignment:
      cluster_name: service-http
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: 112.161.112.111
                port_value: 8081
shufilkhan
  • 521
  • 2
  • 6
  • 22
  • did you ever find an answer? I keep getting `...transport_socket: Cannot find field.) has unknown fields` – SuperVeetz Nov 11 '21 at 00:08
  • 1
    @SuperVeetz not sure if it's still relevant, but in case anyone comes across the same issue later on - I ran into this problem just yesterday actually. `yaml` files are indentation based, so `transport_socket` and all of it's fields are not indented properly most likely. Make sure `transport_socket` is lined up with the hypen (`-`) before `name`, and not the `n` in `name`, or anything else. That f ixed the issue for me – Sal Jan 14 '22 at 12:30
  • @Sal could you perhaps post your config? Could be helpful, I'm not working on this at the moment, but could be useful for others / future. – SuperVeetz Jan 17 '22 at 21:32

0 Answers0