Connection reset Connecting socket to /10.10.6.28:31390 with timeout 0

UPDATE: Resolved. SSL Issue. IP address not acceptable even if host domain is passed in header. Must use domain name.

So I am have end to end http to grpc call working using http and I am now trying it with https. TLS

But I am getting error:

Connecting socket to /10.10.6.28:31390 with timeout 0

Here is full setup:

  22:31:24.567 [main] DEBUG   org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection request:  [route: {s}->https://10.10.6.28:31390][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]

22:31:24.590 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection leased: [id: 0][route: {s}->https://10.10.6.28:31390][total kept alive: 0; route allocated: 1 of 2; total allocated: 1 of 20]
22:31:24.592 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Opening connection {s}->https://10.10.6.28:31390
22:31:24.596 [main] DEBUG org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - Connecting to /10.10.6.28:31390
22:31:24.596 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Connecting socket to /10.10.6.28:31390 with timeout 0
22:31:24.791 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Enabled protocols: [TLSv1, TLSv1.1, TLSv1.2]
22:31:24.792 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

22:31:24.792 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Starting handshake
22:31:24.830 [main] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-0: Shutdown connection
22:31:24.830 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection discarded
22:31:24.831 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection released: [id: 0][route: {s}->https://10.10.6.28:31390][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20]
22:31:24.831 [main] INFO org.apache.http.impl.execchain.RetryExec - I/O exception (java.net.SocketException) caught when processing request to {s}->https://10.10.1.77:31390: Connection reset
22:31:24.835 [main] DEBUG org.apache.http.impl.execchain.RetryExec - Connection reset
java.net.SocketException: Connection reset

Here is gateway kubectl apply -f - <<EOF
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: grpc-tls-gateway
spec:
selector:
istio: ingressgateway # use istio default ingress gateway
servers:

  • port:
    number: 443
    name: https
    protocol: HTTPS
    tls:
    mode: SIMPLE
    serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
    privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
  • mydomain.com
    EOF

I do have keys installed on the ingress in istio-system and properly referenced:

Here is virtualservice:

Spec:
Gateways:
grpc-tls-gateway
Hosts:
mydomain.com
Http:
Match:
Uri:
Prefix: /com.test.echo.EchoService/echo
Route:
Destination:
Host: echo
Port:
Number: 9009

Is there a EnvoyFilter of type:HTTPS or just HTTP because my bridge filter is type HTTP?

Here is what I have now:

create an EnvoyFilter

apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: echo-filtering
spec:
workloadLabels:
app: echo
filters:

  • listenerMatch:
    portNumber: 9009
    listenerType: SIDECAR_INBOUND
    insertPosition:
    index: BEFORE
    relativeTo: envoy.router
    filterName: envoy.grpc_http1_bridge
    filterType: HTTP
    filterConfig:
    services:
  • com.test.echo.EchoService

Lasly I am using etc/hosts file with entry of
on the client that makes the call. The client works fine for http but not when I adjust for https for some reason.

10.10.6.28 mydomain.com