I'm trying to set up TLS on Istio, as per the Istio docs.
But when I call the service with curl, I get this:
* Connected to my-dataservice.mydomain.net (10.167.46.4) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: C:/Program Files/GitWP/mingw64/ssl/certs/ca-bundle.crt
* CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to my-dataservice.mydomain.net:443
* Closing connection 0
Using Chrome I get ERR_CONNECTION_CLOSED
The virtual service looks like this:
spec:
gateways:
- my-dataservice-gateway
hosts:
- >-
my-dataservice.mydomain.net
http:
- route:
- destination:
host: my-dataservice
And the gateway looks like this:
spec:
selector:
istio: ingressgateway
servers:
- hosts:
- >-
my-dataservice.mydomain.net
port:
name: https
number: 443
protocol: HTTPS
tls:
credentialName: istio-ingressgateway-certs
mode: SIMPLE
If I switch the gateway config to http, everything works (but on http, not https).
port:
number: 80
name: http
protocol: HTTP
The logs on the envoy proxy sidecar show nothing. The logs on the istio ingress gateway show this:
2022-03-15T16:11:09.201217Z info sds resource:default pushed key/cert pair to proxy
When I examined the istio-ingressgateway-certs secret (which is in the same namespace as the istio ingress gateway), instead of using secret key names 'cert' and 'key' as per the istio documentation, it had keys 'tls.crt' and 'tls.key', because the secret is of type kubernetes.io/tls. These secret key-value pairs are duplicated in the secret as 'cert' and 'key' respectively. Istio's documentation on how to create the keys doesn't use the (apparently) standard key names used in TLS secrets - but it should pick up either.
