Are there any known gotchas for getting Envoy to work with Connect around TLS certificates? I am using Vault as the CA for Connect.
I have something that works completely fine for the builtin Connect proxy. I substitute Envoy and it doesn’t work at all.
Envoy reports things like this on the initiating side:
[2020-05-07 21:57:56.442][debug][filter] [external/envoy/source/common/tcp_proxy/tcp_proxy.cc:378] [C1] Creating connection to cluster echo.default.dc1.internal.234a8207-5a0c-1745-44e2-b23f21a15104.consul [2020-05-07 21:57:56.443][debug][connection][external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:198][C2] handshake error: 1 [2020-05-07 21:57:56.443][debug][connection][external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:226] [C2] TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED [2020-05-07 21:57:56.443][debug][connection][external/envoy/source/common/network/connection_impl.cc:192] [C2] closing socket: 0
… and things like this on the receiving side:
[2020-05-07 22:12:13.696][debug][connection][external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:226] [C9] TLS error: 268436504: **SSL** routines:OPEN **SSL** _internal:TLSV1_ALERT_UNKNOWN_CA
… which really doesn’t tell me much other than something has gone horribly wrong at the TLS level.
Any ideas on where to go with this?