Hi everyone, with the Root CA exchange of Let’s Encrypt (deprecation of DST Root CA X3) we came to the problem, that the egress calls from the Istio Sidecars to external hosts which have a LE server cert signed by the new Root CA (ISRG X3 Root) don’t work anymore.
upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
Further investigations have shown that this problem doesn’t occur with the latest
1.12.0-beta istio version. The reason is because the expired DST Root CA X3 chain isn’t part of the trusted ca-certs anymore.
I would guess that everyone who does egress calls to external hosts with LE server certs is facing this issue?
Has anyone found a different solution without having to wait until the new istio version without the expired root CA cert is officially released? ? (
1.11.4 also contains the expired cert)