Problem configuring ingress gateway with TLS and wildcard hosts

Hi,

I want to run the following setup:

  • a single ingress gateway that handles all the incoming traffic; example: *.dev000.k8s.dev
  • a single ingress gateway for each subdomain; example: *.dev000.k8s.dev, *.dev001.k8s.dev, etc.
  • a virtual service for each separate URL; example: app1.dev000.k8s.dev, app2.dev001.k8s.dev, etc.; the virtual services are mapped to respective gateway based on the subdomain;
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: app1
spec:
  hosts:
  - "app1.dev003.k8s.dev"
  gateways:
  - dev003
  http:
  - match:
    - uri:
        exact: /
    route:
    - destination:
        host: app1
        port:
          number: 8080
  • the ingress gateways configured with simple TLS;

Unfortunately, I have problems configuring ingress gateway with TLS and wildcard host.

When I configure the ingress gateway with host “*****” everything works fine.

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: dev003
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 443
      name: http-443
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
    - '*'

When I configure the ingress gateway with host “*.dev003.k8s.dev” load balancing stops working.

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: dev003
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 443
      name: http-443
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
    - '*.dev003.k8s.dev'

The error when I try to access my application using cURL is the following one:

curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to <someid>.eu-central-1.elb.amazonaws.com:443

Moreover, when the ingress gateway is not configured to work with TLS, this wildcard hostname configuration works.

This is with Istio version 1.5.1. I also tried version 1.4.7, but the behavior is the same.

Is this expected behavior or I am not configuring something properly?

Since this is the first time that I am posting here, I apologize if I am not posting all the needed information in order to properly describe the issue.

Regards,
Rashid

Hi,

Can you please double check the SSL cert to ensure the CN is fine (and the alternate name too) for using a star ?
Instead of curl, can you check connecting with openssl and double check the certs too ?
Can you also provide your curl command ?

As a side note, you should also use gateway SDS to provide the certificate, but this has nothing to do with your issue.

I’ve hit this exact issue on 1.5.2.
Do you solve the problem?