-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: TLS error: CERTIFICATE_VERIFY_FAILED #17484
Comments
found in appservice-ext-node1-v1-k8se-app-controller-85cb587976-nwr6h I think that would be the core
|
So I'd declare the logging issue as a Bug - the logs should be clear, that the endpoint is active but not functional... |
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions. |
This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions. |
@sirkubax have you come to a solution? i am facing the same issue. |
Service inactive (conn_reset) due to certificate issue
via
https://www.envoyproxy.io/docs/envoy/latest/configuration/security/secret#config-secret-discovery-service
Logs:
![image](https://user-images.githubusercontent.com/3442120/126951253-d900c5bf-2ee2-42c6-99fe-ff196178b964.png)
Description:
I'm running the Kubernetes Cluster as a 'Compute platform" for the Azure Arc enabled Kubernetes, so I can run microservices and functions in that endpoint.
I simulate 'on-premise' Kubernetes, meaning it is a VM (in Azure) where the k3s is running.
All works fine (slow but fine), until I reset the cluster (tried with microk8s too).
Looks like the envoy is failing to refresh the certificate, and put the endpoint into reset state.
Please make this issue more visible
Based on my observation, even with the debug logs, this message about failure to refresh certificate, is printed only once, after the k3s cluster is restarted, and it happen 5-15 second after envoy start (so I restart k3s, envoy starts, I think is serving my website correctly, then few seconds later it refresh cert and gives conn_reset). It is a problem, because I did not see this OPENSSL_internal error on the consecutive restarts!!!!!!!!! meaning if you are not lucky to spot it the first time, you are done.
The next time you try to access the website, you would get
no matching filter chain found
that is misleading, as to my understanding actually there is no active endpointI spent almost a weak finding this very line (well there were other issues) so the fact, that the issue with the certificate is hidden and the logs indicate filter problem, I would consider as a bug :/
Please suggest some solution.
I still did not find which certificate is failing, the one I've tested with openssl verify are matching.
Repro steps:
![image](https://user-images.githubusercontent.com/3442120/126954454-a9d25613-7fe2-49d7-b1f6-e34376103f8d.png)
Env created following the docs (would share install script):
https://docs.microsoft.com/en-us/azure/azure-arc/kubernetes/quickstart-connect-cluster?tabs=azure-cli
https://docs.microsoft.com/en-us/azure/azure-arc/kubernetes/custom-locations#create-custom-location
https://docs.microsoft.com/en-us/azure/app-service/manage-create-arc-environment#install-the-app-service-extension
https://docs.microsoft.com/en-us/azure/azure-functions/create-first-function-arc-cli?tabs=csharp%2Cbrowser#create-storage-account
Installation script: https://pastebin.com/igCc5KwR
You should see:
Admin and Stats Output:
config dump before restart (still working)
https://pastebin.com/3rviGyAD
config dump after restart (NOT working)
https://pastebin.com/vRTwQ9P4
Clusters working
https://pastebin.com/Fcfscex4
Clusters not working
https://pastebin.com/1cudjUim
Config:
When endpoint is failing, user gets conn_reset
The text was updated successfully, but these errors were encountered: