gRPC, NodeJS, mTLS istio throws SSL error

2
votes

So, we're working on a migration to istio for our clusters. Right now all our backend micro services talk over GRPC(grpc-node) with TLS enabled with our own certs. And it works great. However, whenever we bring the istio sidecar into play we get this error:

9 ssl_transport_security.cc:1245] Handshake failed with fatal error SSL_ERROR_SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number.

Which means of course things don't connect and the service fail.

It makes me think that the envoy proxy isn't handling our certs correctly and we should be using their mTLS configuration, but then I don't know how to supply those certs(or find them) to my gRPC clients/servers. Any ideas are welcome.

1
sslgrpcistiogrpc-node
I think you can troubleshoot using following link. istio.io/docs/tasks/security/mutual-tls. in first sight it looks like wrong ssl but you need to verify first what is the exact problem ssl or mutual tls or grpc - Shree Prakash
So let me double check my understanding: with mLTS systems I need to configure the mLTS in istio? How do I get certs? Seems od I would need to connect to the proxy first for my own mLTS connection. - LibertyBeta
"Istio automatically installs necessary keys and certificates for mutual TLS authentication in all sidecar containers" source:- istio.io/docs/tasks/security/mutual-tls - Shree Prakash
Could you provide information from where to where are you migrating your clusters? Between clouds? - PjoterS
@ShreePrakash Those certs are for the sidecar, they aren't mounted to other running containers in the pod as far as I know. - LibertyBeta

1 Answers

2
votes

Hi I have encountered the same error, while triggering API created for Hyperledger Fabric Image Version 1.4.4, I was having NODE-JS 12+ version installed in my system, once I downgraded the NODE-JS version to 8.20 version issues seems to be resolved.