kubernetesistioistio-sidecar

SSL certificate verification error on outgoing cluster traffic

Bug Description

My cluster uses Istio and one of service (java) which is deployed in mesh needs to connect to external resource x.cmp.net/doc.pdf with http and 443 port. This external resource using trusted wildcard cert (DigiCert) with subjects *.cmp.net and cmp.net. When I try to use openssl to verify (from app container) ssl cert I'm getting Google cert (?? istio cert ?):

opt$ **openssl s_client -showcerts -connect x.cmp.net:443**
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = *.google.com
verify return:1
---
Certificate chain
 0 s:CN = *.google.com

Application is written in java and when app tries to download resource getting:

No subject alternative DNS name matching shipjobmt.ista.net found.

My configuration:

apiVersion: networking.istio.io/v1beta1
kind: ServiceEntry
metadata:
  name: internalnet
  namespace: ppct
spec:
  hosts:
    - x.cmp.net
    - y.cmp.net
    - z.cmp.net
  exportTo:
    - "."
  ports:
    - number: 443
      name: https
      protocol: HTTPS
  location: MESH_EXTERNAL
  resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: xinternalnet
  namespace: ppct
spec:
  host: x.cmp.net
  trafficPolicy:
    tls:
      mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: yinternalnet
  namespace: ppct
spec:
  host: y.cmp.net
  trafficPolicy:
    tls:
      mode: SIMPLE
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
  name: zinternalnet
  namespace: ppct
spec:
  host: z.cmp.net
  trafficPolicy:
    tls:
      mode: SIMPLE

I also have blocking mode on:

kubectl get istiooperator installed-state -n istio-system -o jsonpath='{.spec.meshConfig.outboundTrafficPolicy.mode}'
REGISTRY_ONLY

Version

`istioctl version`
client version: 1.11.0
control plane version: 1.11.0
data plane version: 1.11.0 (65 proxies)


`kubectl version --short`
Client Version: v1.19.9
Server Version: v1.19.9

Additional Information

No response

Solution

  • Your problem seems to be linked to double TLS (you can read more here). There are two possible solutions:

    Solution 1

    In ServiceEntry define protocol as HTTP with redirection to 443

    spec:
  hosts:
  - ...
  ports:
  - number: 80
    name: http
    protocol: HTTP
    targetPort: 443

    Solution 2

    Disable TLS for outgoing traffic with DestinationRule

    trafficPolicy:
  tls:
    mode: DISABLE