Automatic mTLS not working - STRICT breaks all commununication in the cluster. Certs Plugged in - shouldn't it be automatic?

Dear Community!

Istio is mission critical for our project and I am responsible to make it all work across 300+ microservices.

I researched Istio for half a year and did a POC on basically everything, except one topic. The one thing we were absolutely sure based on the docs that mTLS won’t be a problem as Istio automatically handles the certificates - tunnels the communication to proxy to proxy and switching it on - we can automatically use https with mtls. Sadly that is not the case.

We have REST based APIs across the cluster - that can be called from other services, and we categorized them. We have our that we took and created the necessary certs and keys to Istio and added it to the cluster. We installed Istio after - as per documentation.

Everything works, our VirtualService routing,Headless service for the main categories, AuthorizationPolicy and you name it. But if we apply STRICT mode to the services experienced the following: (PERMISSIVE mode works perfectly ofc)

curl -i -X GET https//
I receive this error: self signed certificate in certificate chain

Of course http will result in Empty Response From server.

I added DestionationRule to the target services with ISTIO_MUTUAL - nothing really changed.
Also as we only have internal communications for now that will rely on Istio we do NOT use Istio Ingress Gateways.

Istio / Plug in CA Certificates This doc does not really tell you either that how the two services (here sleep and httpbin) shall communicate together through mTLS tunneled communication.

Also found this article Istio / Destination Rule

But this does not make sense to me to semi-manually add these certs and keys to the clients (basically every possible microservice that can be called via their Docker file or Deployment)

What do I miss?

Please help me figure out this :frowning:

Have you tried openssl s_client ? It may show you which self-signed certificate is in the chain.

If I understood correctly, you’re using your own certificates for istio MTLS. If so, check if the default, istio signed, ca root isn’t present on the istio-system namespace. The self-signed and yours may be being merged together.

Ah, another thing: if you started your mesh with istio’s default certs and changed afterwards, you must restart istiod and the proxies (at least, in my experience).