Hello all,
I am in a situation where I’m currently using istio, but unable to use it on certain pods (we need gvisor for certain pods which is not yet set up for istio).
We have mTLS set up with PERMISSIVE mode to handle this. However, we would rather use our own self-signed TLS s.t. we’re not sending raw HTML to the istio pods.
When we try to do this we are unable to complete the connections.
Here is what the nginx logs look like without istio:
nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/es/tls/self/tls.crt"
2019/08/05 16:35:19 [notice] 1#1: using the "epoll" event method
2019/08/05 16:35:19 [notice] 1#1: nginx/1.14.2
2019/08/05 16:35:19 [notice] 1#1: OS: Linux 4.14.127+
2019/08/05 16:35:19 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2019/08/05 16:35:19 [notice] 1#1: start worker processes
2019/08/05 16:35:19 [notice] 1#1: start worker process 6
2019/08/05 16:35:34 [info] 6#6: *1 SSL_do_handshake() failed (SSL: error:14037418:SSL routines:ACCEPT_SR_KEY_EXCH:tlsv1 alert unknown ca:SSL alert number 48) while SSL handshaking, client: 10.32.3.20, server: 0.0.0.0:9200
Showing that it reached nginx and failed due to cert trusting (as expected).
However, when we enable istio with mTLS permissive we don’t see any logs related to the connection attempt
nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/etc/es/tls/self/tls.crt"
2019/08/05 16:36:44 [notice] 1#1: using the "epoll" event method
2019/08/05 16:36:44 [notice] 1#1: nginx/1.14.2
2019/08/05 16:36:44 [notice] 1#1: OS: Linux 4.14.127+
2019/08/05 16:36:44 [notice] 1#1: getrlimit(RLIMIT_NOFILE): 1048576:1048576
2019/08/05 16:36:44 [notice] 1#1: start worker processes
2019/08/05 16:36:44 [notice] 1#1: start worker process 6
And when on the requester’s side we get an SSL_WRONG_VERSION error
http: error: SSLError: HTTPSConnectionPool(host='astronomer-elasticsearch-nginx.astronomer', port=9200): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:852)'),)) while doing GET request to URL: https://astronomer-elasticsearch-nginx.astronomer:9200/
Does anyone have an idea why istio would be messing with the cert here?