Help needed: Istio gateway ingress is not working as expected

I am trying to make an Istio gateway (with certificates from for public access to a deployed application. Here are the configurations:

Cert manager installed in cluster via helm:

helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set installCRDs=true

Certificate issuer:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
  namespace: kube-system
spec:
  acme:
    email: xxx@gmail.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      # Secret resource that will be used to store the account's private key.
      name: letsencrypt-staging
    # Add a single challenge solver, HTTP01 using istio
    solvers:
      - http01:
          ingress:
            class: istio

Certificate file:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: url-certs
  namespace: istio-system
  annotations:
    cert-manager.io/issue-temporary-certificate: "true"
spec:
  secretName: url-certs
  issuerRef:
    name: letsencrypt-staging
    kind: ClusterIssuer
  commonName: bot.demo.live
  dnsNames:
  - bot.demo.live
  - "*.demo.live"

Gateway file:

# gateway.yaml
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: public-gateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
    tls:
      httpsRedirect: true
  - port:
      number: 443
      name: https-url-1
      protocol: HTTPS
    hosts:
    - "*"
    tls:
      mode: SIMPLE
      credentialName: "url-certs" # This should match the Certificate secretName

Application Deployment file:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: microbot
  name: microbot
  namespace: bot-demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: microbot
  template:
    metadata:
      labels:
        app: microbot
    spec:
      containers:
      - name: microbot
        image: dontrebootme/microbot:v1
        resources:
          limits:
            memory: "128Mi"
            cpu: "500m"
        ports:
        - containerPort: 80

Virtual service and application service:

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: microbot-virtual-svc
  namespace: bot-demo
spec:
  hosts:
  - bot.demo.live
  gateways:
  - istio-system/public-gateway
  http:
  - match:
    - uri:
        prefix: "/"
    route:
    - destination:
        host: microbot-service
        port:
          number: 9100
---
apiVersion: v1
kind: Service
metadata:
  name: microbot-service
  namespace: bot-demo
spec:
  selector:
    app: microbot
  ports:
  - port: 9100
    targetPort: 80

Whenever I try to curl https://bot.demo.live, I get a certificate error. The certificate issuer is working. I just can’t figure out how to expose the deployed application via the istio gateway for external access. bot.demo.live is already in my /etc/hosts/ file and and I can ping it just fine.

What am I doing wrong? This is my first shot at Istio.