upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED

/istioctl version --remote
client version: 1.10.3
control plane version: 1.10.3
data plane version: 1.10.3 (2 proxies)

upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED

Operator manifests:

apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
  namespace: istio-system
  name: istio-control-plane
spec:
  profile: default
  components:
    ingressGateways:
    - enabled: true
      name: ingressgateway
      k8s:
        serviceAnnotations:
          service.beta.kubernetes.io/azure-load-balancer-internal: "true"
        service:
          loadBalancerIP: <privateIp>```


Gateway:

```apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: dev-ingressgateway
  namespace: istio-system
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
      - "*" ```

Virtual service:

``` apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: grafana-ingress
  namespace: istio-system
spec:
  hosts:
    - "*"
  gateways:
    - dev-ingressgateway
  http:
    - match:
      - uri:
          prefix: /grafana
      route:
        - destination:
            host: prometheus-grafana.monitoring.svc.cluster.local
            port:
              number: 80 ```

Could you please help me to fix this.

Good morning satheshs, hope you are well!!

I had this problem and it was solved by reviewing the certificate chain and reviewing some rules in the istio, for example we removed the DestinationRule because it was conflicting with the global TLS of the istio. Hope this helps…