TLS handshake failed when enabling mutual TLS

[hpcsc]

Describe the bug

• I followed the quick start guide to install Istio with default mutual TLS authentication enabled
• created MeshPolicy and DestinationRule resources to enable mutual TLS at mesh level:

---
apiVersion: "authentication.istio.io/v1alpha1"
kind: MeshPolicy
metadata:
  name: default
  namespace: istio-system
spec:
  peers:
  - mtls: {}

---
apiVersion: "networking.istio.io/v1alpha3"
kind: DestinationRule
metadata:
  name: default
  namespace: istio-system
spec:
  host: "*.local"
  trafficPolicy:
    tls:
      mode: ISTIO_MUTUAL

• Created 2 deployments internet and intranet (together with their virtual services)

• When I check the TLS status using istioctl, everything seems to be ok:
  

• However when I try to curl intranet service from internet service through istio-proxy, it returns error of handshake failed like below:
  

• If I follow the instruction at https://istio.io/docs/tasks/security/mutual-tls/ to deploy sleep and httpbin in the same namespace, I can curl successfully:

• Not sure where did I do wrongly. Without TLS enabled, everything is working fine

Expected behavior

Able to curl from one container to another

Steps to reproduce the bug

See above

Version

Istio

Version: 1.0.0
GitRevision: 3a136c90ec5e308f236e0d7ebb5c4c5e405217f4
User: root@71a9470ea93c
Hub: gcr.io/istio-release
GolangVersion: go1.10.1
BuildStatus: Clean

Kubectl

Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.0", GitCommit:"91e7b4fd31fcd3d5f436da26c980becec37ceefe", GitTreeState:"clean", BuildDate:"2018-06-27T20:17:28Z", GoVersion:"go1.10.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.8", GitCommit:"c138b85178156011dc934c2c9f4837476876fb07", GitTreeState:"clean", BuildDate:"2018-05-21T18:53:18Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}

Is Istio Auth enabled or not?

Installed using option 2 from quick start: Install Istio with default mutual TLS authentication

Environment

Kubernetes deployed on AWS using kops

[stale]

This issue has been automatically marked as stale because it has not had activity in the last 90 days. It will be closed in the next 30 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

[wattli]

One thing you can try is to deploy internet/intranet in the default namespace, which should work. And if it does work, it's the meshPolicy/DestinationRule setup issue.

Suggest to

1. Create istio with mTLS disabled, since step 2 will actually enable mTLS
2. Create global meshpolicy/destRule, link: https://istio.io/docs/tasks/security/authn-policy/#globally-enabling-istio-mutual-tls
3. redeploy your services.

[wattli]

Please feel free to assign back to me if the problem still exists.

[stale]

This issue has been automatically marked as stale because it has not had activity in the last 90 days. It will be closed in the next 30 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically closed because it has not had activity in the last month and a half. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted". Thank you for your contributions.