Not working Godady CA certs using Plug in certificates and key into the cluster in the ISTIO

Question

I have started working on istio implementation and able to see some progress. Have got few doubts and I see myself missing something in the documentation....

Currently, I am using a gateway, virtual service, destination rules, authorization services for 2 deployments and I am able to see the graph with mTLS enabled in the kiali dashboard. and it's all working fine.

As I have to use now GoDaddy CA certs, gone through the documentation regarding "Plug in certificates and key into the cluster", looks like during the fresh installation of the istio it's picking custom CA certs but with below errors

2022-02-03T16:23:31.337162Z info    initializing mesh networks from mesh config watcher
2022-02-03T16:23:31.337167Z info    initializing mesh handlers
2022-02-03T16:23:31.337178Z info    creating CA and initializing public key
2022-02-03T16:23:31.337214Z info    Use local CA certificate
Error: failed to create discovery service: failed to create CA: failed to create an istiod CA: certificate is not authorized to sign other certificates
2022-02-03T16:23:31.338090Z error   failed to create discovery service: failed to create CA: failed to create an istiod CA: certificate is not authorized to sign other certificates

I am a bit stuck in this and exploring for any other approaches if I have to look into anything if I am missing.

Can you please advise with some of the inputs regarding this.

Which version of Kubernetes and Istio did you use and how did you set up the cluster? Did you use bare metal installation or some cloud provider? It is important to reproduce your problem. — Mikołaj Głodziak, Feb 04 '22 at 12:17
currently using AWS EKS cluster, kubernetes 1.21 and Istio 1.12 is being used. — Madhusudhan G Revankar, Feb 04 '22 at 15:04
Did you see [this page](https://github.com/istio/istio/issues/25872)? Was it helpful for you? — Mikołaj Głodziak, Feb 07 '22 at 14:04
with self signed i am able to achieve but with Godaddy certs its not working — Madhusudhan G Revankar, Feb 09 '22 at 19:09

score 0 · Answer 1 · answered Feb 07 '22 at 05:22

0

If I am understanding you correctly you are talking about this page and trying to issue certs on behalf of GoDaddy. This will not work (unless you are the owner of GoDaddy..)

You most likely do not need this setup unless perhaps you are running two clusters.

If using AWS you would normally have an ALB connected to your Istio Gateway (NodePort) via HTTPS. Let Istio use self signed certs.

answered Feb 07 '22 at 05:22

Cory Silva

2,761
17
23

Thanks for the reply, so can in the destination rules for mTLS, can I use Godaddy ca certs or not. Please share your thoughts – Madhusudhan G Revankar Feb 10 '22 at 22:41
No. Istio will be provisioning and rotating those mtls certs every three months so it must be a certificate authority. Using a 3rd party CA like Godaddy for a some mtls within your cluster does not make sense. It is like you are saying that you do not trust your cluster identity and want a third party to verify it... – Cory Silva Feb 13 '22 at 06:29

Not working Godady CA certs using Plug in certificates and key into the cluster in the ISTIO

1 Answers1