-
Notifications
You must be signed in to change notification settings - Fork 7.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Istio egressgateway 16.1 TLS_error:_33554536:system_library:OPENSSL_internal:Connection_reset_by_peer #43540
Comments
Turned on debug but cannot see obvious error jsonPayload: { If i exec into the egressgateway and curl the site curl -vvI https://dev.example.com it gets all the TLS information ok |
looking in the trace logs the only thing i see wrong is |
In the previous version we were using the ngnix sni proxy to foward on the https requests I did turn on trace and posted the message above and other errors like the api gateway is using a wildcard cert from lets encrypt If i run commands with the container of the egressgateway i can connect to the host on port 443 |
So I managed to fix it by looking this issue #32907 i had to add the sni at the end
Why some of the destination rules worked and this one didnt not sure. |
In my case, it's caused by ECDSA certificates P-384 was not supported by Envoy by default.
|
@liykfrank thx, and you didn't hit the "only p256" exception that seems to be in the code (envoyproxy/envoy#10855 (comment)) ? |
Bug Description
I followed this example
https://istio.io/latest/docs/tasks/traffic-management/egress/egress-gateway-tls-origination/
Everything works as expected however for one of the 3rd party api servers i connect to through the egress-gateway i get the following error
"upstream_transport_failure_reason":"TLS_error:_33554536:system_library:OPENSSL_internal:Connection_reset_by_peer",
almost the same as this issue #39077
the server in question i had previous issues with as well when using this config
previous egress gateway setup with ngnix sni proxy
I had the following options for ngnix sni proxy to make it work with the 3rd party api gateway
However since switching to the preferred method it stopped working again
Version
Additional Information
No response
The text was updated successfully, but these errors were encountered: