I am trying to initiate a mTLS connection directly from the sidecar proxy container to the external service without any egress gateway.
My current config looks something like below. As you can see, I'm trying to upgrade the http requests to https with the client certs before reaching out to the external service.
Not sure if the config I have is correct though.
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: somedomain-mtls
spec:
hosts:
- somedomain.com
ports:
- number: 443
name: http
protocol: HTTP
resolution: DNS
location: MESH_EXTERNAL
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: somedomain-mtls
spec:
hosts:
- somedomain.com
http:
- match:
- port: 80
route:
- destination:
host: somedomain.com
port:
number: 443
weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: somedomain-mtls
spec:
host: somedomain.com
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
portLevelSettings:
- port:
number: 443
tls:
mode: MUTUAL
clientCertificate: /etc/istio/client-certs/client.pem
privateKey: /etc/istio/client-certs/client.key
caCertificates: /etc/istio/client-certs/ca.pem
sni: somedomain.com
---
From the container, I am trying to reach the service using http but getting 503. On further checking the sidecar proxy logs, I see OpenSSL internal error but without any reason. Wondering what is wrong or being missed here.
2020-12-09T22:29:13.832279Z debug envoy pool [external/envoy/source/common/http/conn_pool_base.cc:337] queueing request due to no available connections
2020-12-09T22:29:13.832283Z debug envoy pool [external/envoy/source/common/http/conn_pool_base.cc:47] creating a new connection
2020-12-09T22:29:13.832310Z debug envoy client [external/envoy/source/common/http/codec_client.cc:34] [C1272] connecting
2020-12-09T22:29:13.832315Z debug envoy connection [external/envoy/source/common/network/connection_impl.cc:727] [C1272] connecting to x.x.x.x:443
2020-12-09T22:29:13.832357Z debug envoy connection [external/envoy/source/common/network/connection_impl.cc:736] [C1272] connection in progress
2020-12-09T22:29:13.857767Z debug envoy connection [external/envoy/source/common/network/connection_impl.cc:592] [C1272] connected
2020-12-09T22:29:13.857823Z debug envoy connection [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:191] [C1272] handshake expecting read
2020-12-09T22:29:13.881971Z debug envoy connection [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:198] [C1272] handshake error: 1
2020-12-09T22:29:13.881983Z debug envoy connection [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:226] [C1272] TLS error: 268436576:SSL routines:OPENSSL_internal:
2020-12-09T22:29:13.881989Z debug envoy connection [external/envoy/source/common/network/connection_impl.cc:200] [C1272] closing socket: 0
2020-12-09T22:29:13.882004Z debug envoy client [external/envoy/source/common/http/codec_client.cc:91] [C1272] disconnect. resetting 0 pending requests
2020-12-09T22:29:13.882010Z debug envoy pool [external/envoy/source/common/http/conn_pool_base.cc:265] [C1272] client disconnected, failure reason: TLS error: 268436576:SSL routines:OPENSSL_internal:
2020-12-09T22:29:13.882022Z debug envoy router [external/envoy/source/common/router/router.cc:1018] [C1271][S2062324833167670924] upstream reset: reset reason connection failure
Any pointers would be really helpful.
Thanks