Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Istio defaults to SNI when using an SAN certificate for ingressgateway #18223

Closed
ku-s-h opened this issue Oct 23, 2019 · 3 comments
Closed

Istio defaults to SNI when using an SAN certificate for ingressgateway #18223

ku-s-h opened this issue Oct 23, 2019 · 3 comments
Labels
area/networking

Comments

@ku-s-h
Copy link

ku-s-h commented Oct 23, 2019
edited by istio-policy-bot

Bug description
We have migrated our legacy application to Kubernetes where it uses istio-ingressgateway for TLS termination and routing. For sake of backwards compatibility we went with a SAN certificate for istio-ingressgateway. Post this we are seeing issues from our clients where requests to our domains fail during SSL handshake even though the domain name requested is the same as the CN on the certificate. Passing SNI info(servername) resolves this issue for them, indicating that the gateway is expecting SNI info from the client.

Is it possible to not use SNI and pass the same certificate for each domain?

Gateway config:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: gateway
  namespace: blank
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 443
      name: https-a
      protocol: HTTPS
    tls:
      mode: SIMPLE
      minProtocolVersion: TLSV1_2
      maxProtocolVersion: TLSV1_3
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
    - "a.com"
  - port:
      number: 443
      name: https-b
      protocol: HTTPS
    tls:
      mode: SIMPLE
      minProtocolVersion: TLSV1_2
      maxProtocolVersion: TLSV1_3
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
    - "b.com"
  - port:
      number: 443
      name: https-c
      protocol: HTTPS
    tls:
      mode: SIMPLE
      minProtocolVersion: TLSV1_2
      maxProtocolVersion: TLSV1_3
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
    hosts:
    - "c.com"

Expected behavior
Return the same certificate for each host

Steps to reproduce the bug
Pass SAN certificate to ingressgateway

Version (include the output of istioctl version --remote and kubectl version)
Istio version - 1.2.2
Kubernetes version - v1.13.7-gke.24

How was Istio installed?
Deployment yaml

Environment where bug was observed (cloud vendor, OS, etc)
GKE
@rshriram
Copy link
Member

Try having a single server with * as the host. But in the virtual service, you can have specific hosts.

@boazjohn
Copy link

boazjohn commented Oct 30, 2019
edited

@rshriram This works! Is this documented somewhere?

@rshriram
Copy link
Member

I think in the examples. But if you want to add it to the faq or operations manual, that would be welcome.

@dontreboot dontreboot mentioned this issue Apr 9, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/networking
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@boazjohn @ku-s-h @rshriram @istio-policy-bot