I am encountering a strange issue and wanted to see if someone else has stumbled across something similar. So, here it goes…
I am trying to route requests from internal services to an external service. However, we plan to migrate the external service into our K8s cluster which is why we want to use Istio MTLS from the get-go.
So, we wanted to setup an Egress Gateway with TLS origination for the external service.
I followed these instructions step-by-step: Istio / Egress Gateways with TLS Origination
For this specific service, everything works perfectly fine, i.e. my service inside K8s can reach the external service (CNN in this case).
However, when I change everything to use our own external service (currently running on a different cloud, I am getting a strange error message:
upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
I was literally starting to pull my hairs out after having tried a gazillion different permutations of various config changes. While the error message changed some times, the effect was the same: no TLS connection possible. When I changed the config back to a different external service it started working again.
Today I decided to inspect the different certificates and noticed something that I suspect to be a possible root cause:
Our server certificate has been issued by Let’s Encrypt while all the other certs are signed by different CA’s.
So, is it possible that Istio does not have Let’s Encrypt in its certificate chain?
Any idea that could get me to solve this would be highly appreciated!
P.S. There is no point in copying my config files here since they are identical to the one in the article on the istio.io site, except that I have replaced
edition.cnn.com with my external server name, e.g.
ext-service.domain.com (of course the actual DNS name is different, but that should not make any difference).