I have a service with a self signed SSL cert that I want to expose to the internet. I would like Istio Gateway to terminate the SSL connection (using a cert from cert-manager) and the istio sidecar to handle HTTPS traffic internally to the backend service.
However when I try this I get errors from Envoy:
TLS error: 268435648:SSL routines:OPENSSL_internal:PEER_DID_NOT_RETURN_A_CERTIFICATE
My backend service is exposed like so:
--- kind: VirtualService apiVersion: networking.istio.io/v1alpha3 metadata: name: stratos namespace: stratos spec: gateways: - cf-system/istio-ingressgateway hosts: - console.example.com http: - route: - destination: host: console-ui-ext --- apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: stratos namespace: stratos spec: host: console-ui-ext trafficPolicy: tls: mode: SIMPLE --- kind: Gateway SNIP - hosts: - console.example.com port: name: https-workloads number: 443 protocol: HTTPS tls: credentialName: my-cert mode: SIMPLE
In the istio-sidecar, I can
curl -k https://localhost without issue. However I get an SSL error when I use
curl -k https://console-ui-ext.stratos.svc.cluster.local
What am I missing? One thing I found weird was the routes added to Envoy are all
outbound|443 I would have expected to see inbound routes there as well. I do not want TLS passthrough on the Gateway since the certificate of the backend service is not valid.
Is there a step I forgot when having a HTTPS backend?