Envoy UpstreamTLSContext not sending client certificate
237 views
Skip to first unread message
Christoph Bühler
Aug 15, 2022, 9:36:47 AM8/15/22
to envoy-users
Hi Team!
I try to create a mTLS connection between two envoy instances.
I have an APP, that has the HTTPS_PROXY variable set to "envoy-app". Then envoy-app has a dynamic forward proxy that forwards the communication to "envoy-api" which then in turn forwards the connection to "api".
When using mTLS now, the envoy-api instance will request the client certificate, but right now, envoy-app does not send it. Hence, the connection is terminated. I tried the configuration I found in the documentation, but until now, I was not able to perform the connection. When using only TLS (not mTLS), the connection gets established.
There is an open source repository with a full fledged docker example, but not a detailed explanation yet.
The API uses the follwing config in the transport socket part of the listener:
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
require_client_certificate: true
common_tls_context:
validation_context:
trusted_ca:
filename: /certs/chain.crt
tls_certificates:
- certificate_chain:
filename: /certs/cert_with_ca.crt
private_key:
filename: /certs/cert.key
and the app envoy has the following cluster:
- name: dynamic_forward_proxy_cluster
lb_policy: CLUSTER_PROVIDED
transport_socket:
name: envoy.transport_sockets.tls
typed_config:
common_tls_context:
validation_context:
trusted_ca:
filename: /certs/chain.crt
tls_certificates:
- certificate_chain:
filename: /certs/cert_with_ca.crt
private_key:
filename: /certs/cert.key
Thanks in advance for any hint on how I can manage to create an mTLS connection between the two.
Regards
Christoph Bühler
Aug 15, 2022, 9:37:47 AM8/15/22
to envoy-users
Addition:
the error message from envoy (debug connection logs):
the error message from envoy (debug connection logs):
TLS error: 268435648:SSL routines:OPENSSL_internal:PEER_DID_NOT_RETURN_A_CERTIFICATE
Reply all
Reply to author
Forward
0 new messages