Hey everyone,
Just general question to audience - did you notice that SSL passthrough mode (SSL terminated either in app or envoy sidecar) won’t work with server certificates without intermediary chain? Such service won’t appear in ingressgateway config_dump (http://localhost:15000/config_dump) thus connection fails.
I’m just trying to understand if is it by design or a bug?
The Istio example uses intermediate cert too: https://istio.io/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/
Thanks for any answer
How exactly are you setting up SSL passthrough mode? Could you list steps to reproduce and any yaml config needed for this? Also how do you setup intermediary chain?
well, just follow https://istio.io/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/
Then instead of https://istio.io/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/?_ga=2.39303392.271427795.1566841510-899261950.1544467795#generate-client-and-server-certificates-and-keys generate your own self-signed certs w/o intermediary. There are manuals how to do that, but e.g.:
Create the CA Key and Certificate for signing Server Certs
$ openssl genrsa -out rootCA.key 2048
$ openssl req -new -x509 -days 365 -key rootCA.key -out rootCA.crt -subj '/emailAddress=foo@bar.com/C=IN/ST=Some/L=Some/O=Some/OU=Some/CN=Some'
Server - Generate server CSR and server private key
$ openssl req -new -newkey rsa:2048 -nodes -out server.csr -keyout server.key -subj '/emailAddress=foo@bar.com/C=US/ST=Some/L=Some/O=Dev/OU=Some/CN=fqdn.some.domain'
Server - Sign the server certificate with our rootCA cert
$ openssl x509 -req -days 365 -in server.csr -CA rootCA.crt -CAkey rootCA.key -set_serial 01 -out server.crt