Create self-signed classic TLS cert with istio mTLS enabled

Hello all,

I am in a situation where I’m currently using istio, but unable to use it on certain pods (we need gvisor for certain pods which is not yet set up for istio).

We have mTLS set up with PERMISSIVE mode to handle this. However, we would rather use our own self-signed TLS s.t. we’re not sending raw HTML to the istio pods.

When we try to do this we are unable to complete the connections.

Here is what the nginx logs look like without istio:

nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/es/tls/self/tls.crt"
2019/08/05 16:35:19 [notice] 1#1: using the "epoll" event method
2019/08/05 16:35:19 [notice] 1#1: nginx/1.14.2
2019/08/05 16:35:19 [notice] 1#1: OS: Linux 4.14.127+
2019/08/05 16:35:19 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2019/08/05 16:35:19 [notice] 1#1: start worker processes
2019/08/05 16:35:19 [notice] 1#1: start worker process 6
2019/08/05 16:35:34 [info] 6#6: *1 SSL_do_handshake() failed (SSL: error:14037418:SSL routines:ACCEPT_SR_KEY_EXCH:tlsv1 alert unknown ca:SSL alert number 48) while SSL handshaking, client: 10.32.3.20, server: 0.0.0.0:9200

Showing that it reached nginx and failed due to cert trusting (as expected).

However, when we enable istio with mTLS permissive we don’t see any logs related to the connection attempt

nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/es/tls/self/tls.crt"
2019/08/05 16:36:44 [notice] 1#1: using the "epoll" event method
2019/08/05 16:36:44 [notice] 1#1: nginx/1.14.2
2019/08/05 16:36:44 [notice] 1#1: OS: Linux 4.14.127+
2019/08/05 16:36:44 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2019/08/05 16:36:44 [notice] 1#1: start worker processes
2019/08/05 16:36:44 [notice] 1#1: start worker process 6

And when on the requester’s side we get an SSL_WRONG_VERSION error

http: error: SSLError: HTTPSConnectionPool(host='astronomer-elasticsearch-nginx.astronomer', port=9200): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:852)'),)) while doing GET request to URL: https://astronomer-elasticsearch-nginx.astronomer:9200/

Does anyone have an idea why istio would be messing with the cert here?

Istio currently doesn’t support bringing your own TLS certs in PERMISSIVE mode. In the PERMISSIVE mode, there are only two options which are currently supported:

  1. Unencrypted traffic with no TLS
  2. Mutual TLS using Istio in the ALPN header for TLS negotiation. In this mode Istio generated certificates will be used.

There is work going on in the community to support your use case. More details are in this proposal

Is this restriction still in effect?

If it is, would it be correct that the only way to bring our own TLS certs would be to run in STRICT mode?