OpenSSL SSL_connect: SSL_ERROR_SYSCALL for External Service Proxying

1

I have an external domain, r3t.io, and an internal domain, reboot3times.org. I generally prefer to terminate TLS after traffic has passed through the router, before it’s handed off to an internal service (outside the cluster), which doesn’t have TLS enabled but listens on port 8080. I’m able to terminate TLS with both Traefik and Nginx just fine, but I don’t think I quite understand where I’ve broken my Istio config (still learning).

This is my config:

---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: airport-proxy
spec:
  selector:
    istio: ingressgateway # use istio default ingress gateway
  servers:
  - port:
      number: 443
      name: tls
      protocol: TLS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
      httpsRedirect: true
    hosts:
    - "airport.r3t.io"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: airport
spec:
  hosts:
  - airport.r3t.io
  gateways:
  - airport-proxy
  tls:
  - match:
    - gateways:
      - airport-proxy
      port: 443
      sni_hosts:
      - airport.r3t.io
    route:
    - destination:
        host: airport.r3t.io
        port:
          number: 8080
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
  name: airport-http
spec:
  hosts:
  - airport.r3t.io
  ports:
  - number: 8080
    name: http-external 
    protocol: HTTP
  location: MESH_EXTERNAL 
  resolution: DNS
  endpoints:
  - address: airport.reboot3times.org
    ports:
      http-external: 8080
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: airport-dr
spec:
  host: airport.reboot3times.org
  trafficPolicy:
    portLevelSettings:
    - port:
        number: 8080
      tls:
        mode: DISABLE

This is the error I get when I try to reach the external service:

curl -v https://airport.r3t.io
* Rebuilt URL to: https://airport.r3t.io/
* Trying 174.29.33.129...
* TCP_NODELAY set
* Connected to airport.r3t.io (174.29.33.129) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to airport.r3t.io:443
* stopped the pause stream!
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to airport.r3t.io:443

I was able to successfully deploy the Ingress Gateway with SDS (File Mount) httpbin example, you can see the teapot here. I’m not quite sure what I’m doing wrong, I would like to terminate TLS at the gateway and then hand the unencrypted traffic off to the internal service (outside the cluster).