envoy
envoy copied to clipboard
Published
20 hours ago •
envoyproxy
envoyproxy
Error when using TLS min version 1.3 with Envoy Proxy
Hello,
I'm trying to update my service mesh (Consul - Envoy) to use TLS minimum version 1.3 on my cluster, updating from version 1.2.
- Consul Version: 1.16.6
- Envoy Version: 1.26.8
I confirmed that both the Consul server and Consul agent are correctly configured to use the minimum version of TLS 1.3, but the Envoy proxy that I use as a sidecar for my services is in an unhealthy status with the log:
DeltaAggregatedResources gRPC config stream to local_agent closed since 97s ago: 14, upstream connect error or disconnect/reset before headers. reset reason: connection failure, transport failure reason: TLS error: 268436526:SSL routines:OPENSSL_internal:TLSV1_ALERT_PROTOCOL_VERSION
Consul Agent Configuration:
{
"acl": {
"enabled": true,
"down_policy": "async-cache",
"default_policy": "deny",
"tokens": {
"default": ""
}
},
"enable_central_service_config": false,
"datacenter": "",
"encrypt": "",
"encrypt_verify_incoming": true,
"encrypt_verify_outgoing": true,
"server": false,
"log_level": "INFO",
"advertise_addr": "",
"bind_addr": "0.0.0.0",
"client_addr": "0.0.0.0",
"data_dir": "/consul/data",
"retry_join": [
""
],
"auto_encrypt": {
"tls": true,
"ip_san": [
""
]
},
"tls": {
"defaults": {
"ca_file": "/consul/ca.pem",
"verify_outgoing": true,
"verify_incoming": false,
"tls_min_version": "TLSv1_3"
},
"internal_rpc": {
"verify_server_hostname": true
}
},
"leave_on_terminate": true,
"ports": {
"https": 8501,
"http": -1,
"grpc": 8502,
"grpc_tls": 8503
},
"domain": "consul",
"node_meta": {
"env": "",
"version": ""
}
}
Envoy Service Configuration:
{
"service": {
"name": "",
"id": "",
"token": "",
"address": "",
"port": 0,
"meta": {
"env": "",
"version": ""
},
"check": {
"deregister_critical_service_after": "30m",
"http": "",
"method": "GET",
"interval": "",
"timeout": ""
},
"connect": {
"sidecar_service": {
"port": 21000,
"checks": [
{
"name": "Connect Envoy Sidecar",
"tcp": "",
"interval": "10s"
},
{
"id": "",
"alias_service": ""
}
],
"proxy": {
"config": {
"envoy_stats_bind_addr": "0.0.0.0:19001",
"envoy_tracing_json": "{\"http\":{\"name\":\"envoy.tracers.datadog\",\"typedConfig\":{\"@type\":\"type.googleapis.com/envoy.config.trace.v3.DatadogConfig\",\"collector_cluster\":\"datadog_8126\",\"service_name\":\"%NAME%\"}}}",
"envoy_extra_static_clusters_json": "{\"connect_timeout\":\"3.000s\",\"dns_lookup_family\":\"V4_ONLY\",\"lb_policy\":\"ROUND_ROBIN\",\"load_assignment\":{\"cluster_name\":\"datadog_8126\",\"endpoints\":[{\"lb_endpoints\":[{\"endpoint\":{\"address\":{\"socket_address\":{\"address\":\"%ADDRESS%\",\"port_value\":8126,\"protocol\":\"TCP\"}}}}]}]},\"name\":\"datadog_8126\",\"type\":\"STRICT_DNS\"}"
},
"upstreams": []
}
}
}
}
}
Can I get some help on this issue, please? Did anyone go through the same? 🙏
Kind Regards,
Joel Vaz
