Istio ingress gateway with tls mode PASSTHROUGH

Networking
1

Hi,
I tried to configure the HTTPS ingress access to an HTTPS service using the below link, https://istio.io/docs/examples/advanced-gateways/ingress-sni-passthrough. The sample given in the istio documentation works fine using my certs.

However if i try to apply the same gateway and virtual service to my use case, i am getting ssl certificate validation error in the browser and even the curl command gives ssl handshake error. In my use case, instead of a nginx server i have a spring boot component with ssl enabled.
My cluster gke version is 1.11.8-gke.6 and i have installed istio by enabling Istio addons in gcloud cluster create command. The istio version installed is 1.0.6-gke.3. Security config is set to MTLS_PERMISSIVE

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: myapp-gateway
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- port:
number: 443
name: https
protocol: HTTPS
tls:
mode: PASSTHROUGH
hosts:
- “service-myapp.x.xx”

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: myapp-virtual-service
spec:
  hosts:
  - "service-myapp.x.xx"
  gateways:
  - myapp-gateway
  tls:
  - match:
    - port: 443
      sni_hosts:
      - "service-myapp.x.xx"
    route:
    - destination:
        host: myapp
        port:
          number: 443

apiVersion: v1
kind: Service
metadata:
name: myapp
labels:
app: myapp
namespace: default
spec:
ports:
- port: 80
name: http-myapp
protocol: TCP
targetPort: 12345
- port: 443
name: https-myapp
targetPort: 12345
protocol: TCP
selector:
app: myapp

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: myapp
namespace: default
spec:
replicas: 1
selector:
    matchLabels:
    app: myapp
template:
    metadata:
    labels:
        app: myapp
    spec:
    containers:
    - name: myapp
        image: x.io/myapp
        resources:
        requests:
            memory: "1024Mi"
        ports:
        - containerPort: 12345
        env:
        - name: SERVER_PORT
        value: "12345"
        volumeMounts:
        - name: myapp-keystore
        mountPath: /keystore
        - name: myapp-truststore
        mountPath: /mnt
    volumes:
    - name: myapp-keystore
        secret:
        secretName: myapp-jks
    - name: myapp-truststore
        secret:
        secretName: myapp-trust-jks

i looked into the logs of istio-ingressgateway. i could see the logs where, it routes the traffic to myapp service and also i could see the logs in envoy side car proxy. But, I don’t see any errors or exceptions in the logs.
Any idea to enable debug logs in ingress-gateway pod and istio-proxy sidecars ?
Any help will be appreciated.

2

Did you ever find a solution to this? Better ways to troubleshoot it? I realize this is an old post but I am encountering basically the same problem.