-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Certificates for double proxy (mTLS) #26228
Comments
cc @phlax @ggreenway |
re the docs - i would be more than happy to review a PR to clarify how the certs are used to give some context - the Dockerfile where the certs are loaded is here https://github.com/envoyproxy/envoy/blob/main/examples/shared/envoy/Dockerfile#L49 it may be helpful to add some comment in the compose file about looking there for how the certs are used you need to look in the envoy frontend/backend yaml files the sandbox is pretty focused on explaining how to setup and use the certs so would be good if we can make this clearer |
I followed the guide and setup the certs accordingly. It looks like Envoy is not terminating the TLS connection and is forwarding it to the actual backend, resulting in
Here's the TLS part of my envoy config for the server - transport_socket:
name: envoy.transport_sockets.tls
typed_config:
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
require_client_certificate: true
common_tls_context:
tls_certificates:
- certificate_chain:
filename: /certs/servercert.pem
private_key:
filename: /certs/serverkey.pem
tls_params:
tls_minimum_protocol_version: TLSv1_2
tls_maximum_protocol_version: TLSv1_3
validation_context:
match_typed_subject_alt_names:
- san_type: DNS
matcher:
exact: ip-10-0-101-118.ap-south-1.compute.internal
trusted_ca:
filename: /certs/cacert.pem |
hmm - you may be right - this needs to set TLS termination in the "frontend" envoy that would break using postgres i think (not 100% sure) so it would also require changing what was used as a backend definitely open to a PR to update this - otherwise i will look further when i have time |
Title: Certificates for double proxy (mTLS)
Description:
The envoy docs has an example of running double proxy using Envoy for postgres. However, the docs does not cover which certificate is to be used where. The guide generates 2 certificates with the same key. The docker-compose file in the repo refers to the certificates in a different name, making it not clear on which certificate to use on which machine(container).
A section to clarify that in the guide would be helpful.
I am following the same guide and have generated certificates for AWS EC2's internal DNS name. However I get the error
TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
on the client side andTLS error: 268436502:SSL routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN
on the server side.Server Envoy TLS config section -
Client Envoy TLS config section -
[optional Relevant Links:]
https://www.envoyproxy.io/docs/envoy/latest/start/sandboxes/double-proxy
The text was updated successfully, but these errors were encountered: