Hi,
I have a gRPC client (C# and Python) using client-side SSL which is terminated in an Istio ingress gateway (envoy) before reaching the service.
When using a genuine certificate from LetsEncrypt everything works fine.
However, when the ingress gateway is configured with a self signed SSL certificate, generated from a root CA which has been added to the trust store (keychain/cert-manager) on the client machine, the connection fails:
E1029 17:01:45.274918000 123145515409408 ssl_transport_security.cc:1229] Handshake failed with fatal error SSL_ERROR_SSL: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED.
Chrome/curl etc will connect to the http services behind the same ingress gateway without SSL warnings (given that the root CA certificate has been added to the trust store).
My question is: should gRPC also be using the trust store for client-side SSL? If so, any ideas what I might be doing wrong.
Thanks,
Mark