istio virtual service with tls - Connection reset by peer

- 2 minutes read - 317 words

I got following similar errors when setup my istio clusters.

Mark bundle as not supporting multiuse 301 istio
301 or 404
error:02FFF036:system library:func(4095):Connection reset by peer

*   Trying 20.190.14.28:443...
* TCP_NODELAY set
* Connected to kiali.example.com (20.190.14.28) port 443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /home/ng/anaconda3/ssl/cacert.pem
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: Connection reset by peer in connection to kiali.example.com:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to kiali.example.com:443

I tried to create an seperate ingressGateway for different gateways,combine the gateways together and combiine vs togethers. It always to get above errors. My istio environment is:

client version: 1.13.4
control plane version: 1.13.4
data plane version: 1.13.4 (2 proxies)
Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.12", GitCommit:"696a9fdd2a58340e61e0d815c5769d266fca0802", GitTreeState:"clean", BuildDate:"2022-04-13T19:07:00Z", GoVersion:"go1.16.15", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"22+", GitVersion:"v1.22.9-eks-a64ea69", GitCommit:"540410f9a2e24b7a2a870ebfacb3212744b5f878", GitTreeState:"clean", BuildDate:"2022-05-12T19:15:31Z", GoVersion:"go1.16.15", Compiler:"gc", Platform:"linux/amd64"}

The finally solution is deleteing existing working gateways(GW0) and deleting the not-working gateways(GW1s), later create GW1s one by one to make sure every gw working, then apply GW0s.

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: gw-test044c46fc
  namespace: prod
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - api.test044c46fc.com
    tls:
      httpsRedirect: true # sends 301 redirect for http requests
  - port:
      number: 443
      name: https-443
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName:  cert.api.test044c46fc.com
    hosts:
    - api.test044c46fc.com
---
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: gw-demo044c46fc
  namespace: prod
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - api.demo044c46fc.com
    tls:
      httpsRedirect: true # sends 301 redirect for http requests
  - port:
      number: 443
      name: https-443
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName:  cert.api.demo044c46fc.com
    hosts:
    - api.demo044c46fc.com
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: de-api2
spec:
  hosts:
  - api.demo044c46fc.info
  - api.test044c46fc.info
  gateways:
  - gw-demo044c46fc
  - gw-test044c46fc
  http:
  - match:
    - uri:
        prefix: /
    route:
    - destination:
        port:
          number: 80
        host: api
comments powered by Disqus