Istio Sidecar proxy fails to start due to Invalid path on certs mTLS
There are number of reasons that cause the error You have. It would be best to check if the certificate is actually there and if its valid.
According to istio documentation You can verify keys and certificates:
Verify keys and certificates installation
Istio automatically installs necessary keys and certificates for mutual TLS authentication in all sidecar containers. Run command below to confirm key and certificate files exist under
/etc/certs
:
$ kubectl exec $(kubectl get pod -l app=httpbin -o jsonpath={.items..metadata.name}) -c istio-proxy -- ls /etc/certscert-chain.pem key.pem root-cert.pem
cert-chain.pem
is Envoy’s cert that needs to be presented to the other side.key.pem
is Envoy’s private key paired with Envoy’s cert incert-chain.pem
.root-cert.pem
is the root cert to verify the peer’s cert. In this example, we only have one Citadel in a cluster, so all Envoys have the sameroot-cert.pem
.Use the
openssl
tool to check if certificate is valid (current time should be in betweenNot Before
andNot After
)
$ kubectl exec $(kubectl get pod -l app=httpbin -o jsonpath={.items..metadata.name}) -c istio-proxy -- cat /etc/certs/cert-chain.pem | openssl x509 -text -noout | grep Validity -A 2Validity Not Before: May 17 23:02:11 2018 GMT Not After : Aug 15 23:02:11 2018 GMT
You can also check the identity of the client certificate:
$ kubectl exec $(kubectl get pod -l app=httpbin -o jsonpath={.items..metadata.name}) -c istio-proxy -- cat /etc/certs/cert-chain.pem | openssl x509 -text -noout | grep 'Subject Alternative Name' -A 1X509v3 Subject Alternative Name: URI:spiffe://cluster.local/ns/default/sa/default
Please check Istio identity for more information about service identity in Istio.
Hope it helps.