Self-signed certificate problem in gloo-edge?

[ntx-ben]

Hi,

I'm following the example to use a self-signed certificate using cert-manager to use HTTPS in gloo-edge (https://docs.solo.io/gloo-edge/1.5.25/guides/integrations/cert_manager/).

I'm using Kubernetes 1.20.2 (in KinD) in a local development environment, and gloo-edge 1.18.12.

I've setup cert-manager and created a self-signed Root CA, then generated a new Certificate to be used by gloo-edge, per https://docs.solo.io/gloo-edge/latest/guides/security/tls/server_tls/. The Certificate looks like this:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: upstream-tls
  namespace: gloo-system
spec:
  secretName: upstream-tls
  commonName: wss.upstream.com
  duration: 43800h0m0s # 5y
  isCA: false
  issuerRef:
    name: local-ca-issuer
    kind: ClusterIssuer
  keySize: 2048
  keyAlgorithm: rsa
  keyEncoding: pkcs1
  usages:
  - digital signature
  - key encipherment
  - server auth

The certificate gets generated successfully and is stored in the upstream-tls secret.

Then, in my VirtualService:

apiVersion: gateway.solo.io/v1
kind: VirtualService
metadata:
  name: default
  namespace: gloo-system
spec:
  sslConfig:
    secretRef:
      name: upstream-tls
      namespace: gloo-system
  virtualHost:
    domains:
    - '*'
    routes:
    - matchers:
      - prefix: /
      delegateAction:
        selector:
          namespaces:
          - '*'

I have RouteTables after that. Using HTTP (removing the sslConfig stanza) works perfectly. However with sslConfig, trying to curl the endpoint gives me the following error:

/ # curl -kvvv https://172.31.0.2/
*   Trying 172.31.0.2:443...
* Connected to 172.31.0.2 (172.31.0.2) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=wss.upstream.com
*  start date: Sep  2 20:02:52 2021 GMT
*  expire date: Sep  1 20:02:52 2026 GMT
*  issuer: CN=ca.upstream.com
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fb901239a90)
* OpenSSL SSL_write: Broken pipe, errno 32
* Failed sending HTTP2 data
* Failed sending HTTP request
* Connection #0 to host 172.31.0.2 left intact
curl: (55) OpenSSL SSL_write: Broken pipe, errno 32

I also get a ERR_BAD_SSL_CLIENT_AUTH_CERT when trying with a web browser.

I cannot figure out what's wrong. The exact same process works in Istio. There is no time skew, certificate looks OK, ...

Anyone sees anything I missed?

[sirrapa]

Hi @ntx-ben Did you managed to fix this?
I'm encountering the same issue

[ntx-ben]

Unfortunately no, and I've since moved back to Istio.