From couple of days I'm facing an issue while trying to make the connectivity with a web server which uses a rest api F5 URL from my application which is deployed into openShift cluster and using service mesh product istio.
Things were working fine when we were on simple TLS, the issue came when we switched to mTLS.
So what we're doing:-
Basically we are trying to make mTLS connectivity from a react application (deployed into opneshift cluster) to IBM FileNet server (which support mTLS and outside the cluster).
I followed the istio docs and trying to originate TLS from sidecar ( https://istio.io/latest/docs/tasks/traffic-management/egress/egress-tls-origination/).
We have created the below mesh resources as per the docs:-
Service entry:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: originate-mtls-for-my-service
spec:
hosts:
- my-external-host-name
ports:
- number: 80
name: http-port
protocol: HTTP
targetPort: external-host-port
- number: external-host-port
name: https-port
protocol: HTTPS
resolution: DNS
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: originate-mtls-for-my-service
spec:
workloadSelector:
matchLabels:
app: my-app-label
host: my-external-host-name
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 80
tls:
mode: MUTUAL
credentialName: client-credential # this must match the secret created earlier to hold client certs, and works only when DR has a workloadSelector
sni: my-external-host-name
However after trying above configs react app (deployed on OCP) can't able to talk to external service and we are getting "403 Forbidden error"
While we hit the curl URL from sidecar proxy we got below response.
curl -iv FileNet_host:FileNet_port
connected to FileNet_host:FileNet_port
ALPN offering h2
ALPN offering http/1.1
successfully set certificates verify locations:
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
TLS1.3 (OUT), TLS handshake, client hello (1):
TLS1.3 (IN), TLS handshake, server hello (2):
TLS1.3 (IN), TLS handshake, [no content] (0):
TLS1.3 (IN), TLS handshake, Encrypted Extension (8):
TLS1.3 (IN), TLS handshake, Request CERT (13):
TLS1.3 (IN), TLS handshake, Certificate (11):
TLS1.3 (OUT), TLS handshake, unknown CA (560):
SSL certificate Problem: self signed certificate in Chain
Closing connection (0)
I tried to see such issue on istio/discuss page however couldn't be able to find anything like what i'm If facing. If somebody please look at on this and suggest me on right direction that would really help, Thanks in advance!!