Istio Sidecar proxy fails to start due to Invalid path on certs mTLS
There are number of reasons that cause the error You have. It would be best to check if the certificate is actually there and if its valid.
According to istio documentation You can verify keys and certificates:
Verify keys and certificates installation
Istio automatically installs necessary keys and certificates for mutual TLS authentication in all sidecar containers. Run command below to confirm key and certificate files exist under
/etc/certs:
$ kubectl exec $(kubectl get pod -l app=httpbin -o jsonpath={.items..metadata.name}) -c istio-proxy -- ls /etc/certscert-chain.pem key.pem root-cert.pem
cert-chain.pemis Envoy’s cert that needs to be presented to the other side.key.pemis Envoy’s private key paired with Envoy’s cert incert-chain.pem.root-cert.pemis the root cert to verify the peer’s cert. In this example, we only have one Citadel in a cluster, so all Envoys have the sameroot-cert.pem.Use the
openssltool to check if certificate is valid (current time should be in betweenNot BeforeandNot After)
$ kubectl exec $(kubectl get pod -l app=httpbin -o jsonpath={.items..metadata.name}) -c istio-proxy -- cat /etc/certs/cert-chain.pem | openssl x509 -text -noout | grep Validity -A 2Validity Not Before: May 17 23:02:11 2018 GMT Not After : Aug 15 23:02:11 2018 GMTYou can also check the identity of the client certificate:
$ kubectl exec $(kubectl get pod -l app=httpbin -o jsonpath={.items..metadata.name}) -c istio-proxy -- cat /etc/certs/cert-chain.pem | openssl x509 -text -noout | grep 'Subject Alternative Name' -A 1X509v3 Subject Alternative Name: URI:spiffe://cluster.local/ns/default/sa/defaultPlease check Istio identity for more information about service identity in Istio.
Hope it helps.