Can't route to an external https service (error 35)


#1

Using the following configuration

apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: google-se
spec:
  hosts:
    - www.google.com
  ports:
    - number: 443
      name: https
      protocol: HTTPS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: google-vs
spec:
  hosts:
    - www.google.com
  tls:
    - match:
        - port: 443
          sniHosts:
            - www.google.com
      route:
        - destination:
            host: www.google.com
            port:
              number: 443

when i do a curl from the container that I want to access the url I get

bash-4.2# curl -vvv https://www.google.com
* About to connect() to www.google.com port 443 (#0)
*   Trying 172.217.7.164...
* Connected to www.google.com (172.217.7.164) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12263 (SSL_ERROR_RX_RECORD_TOO_LONG)
* SSL received a record that exceeded the maximum permissible length.
* Closing connection 0
curl: (35) SSL received a record that exceeded the maximum permissible length.

This is using Kubernetes 1.11 and Istio 1.1-Snapshot-6. Could someone point me how to fix this error? Been trying many configurations but no luck so far. Thanks!


#2

I think you might be missing the location and resolution on your service entry.

Make sure you set the location as MESH_EXTERNAL and resolution as DNS for your particular configuration.


#3

Thanks Fernando for the help. I was able to figure this out yesterday but it was weird. In my cluster I have an instance of Keycloak running, and was running in port 443. For some reason looks like the traffic was being redirected there, since as soon as I changed Keycloak to another port (8443) the problem was fixed.