This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

Problem calling https://httpbin.org via Service Mesh egress gateways on GKE clusters

Posted on 08-20-2024 07:39 AM
TrungDinh
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi all,

I did deploy istio-egress according to the documentation:  

When I used the curl command to make a call to https://httpbin.org, the following happened:
There will be times when the response returns 200 and an error: curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to httpbin.org:443
These are the outputs when I execute curl from an ubuntu workload going through isito-egressgateway:

root@ubuntu-infra-85fd97fbf-gwq42:/# curl -I https://httpbin.org
HTTP/2 200
date: Tue, 20 Aug 2024 14:16:00 GMT
content-type: text/html; charset=utf-8
content-length: 9593
server: gunicorn/19.9.0
access-control-allow-origin: *
access-control-allow-credentials: true

root@ubuntu-infra-85fd97fbf-gwq42:/# curl -I https://httpbin.org
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to httpbin.org:443
root@ubuntu-infra-85fd97fbf-gwq42:/# curl -I https://httpbin.org
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to httpbin.org:443
root@ubuntu-infra-85fd97fbf-gwq42:/# curl -I https://httpbin.org
HTTP/2 200
date: Tue, 20 Aug 2024 14:35:40 GMT
content-type: text/html; charset=utf-8
content-length: 9593
server: gunicorn/19.9.0
access-control-allow-origin: *
access-control-allow-credentials: true

root@ubuntu-infra-85fd97fbf-gwq42:/#

 

 

 
 
0 1 354
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
francislouie
Staff
Reply posted on --/--/---- --:-- AM

Hi @TrungDinh,

The curl error that you are encountering is related to SSL/TLS handshake; it could be certificates (file formats, paths, permission), passwords and others.

Here are some recommendations that you can try and check on your end:

  • To see what’s happening during the handshake, use this command.

 

curl -v https://<HostAlias>:<port number>

 

  • To inspect the server's certificate

 

openssl s_client -showcerts -connect <HostAlias>:8443

 

And lastly, revisit your configuration in egress gateway, virtual services, and Destination rule you might misconfigure it. 

  • To check if there’s an error in ISTIO configuration

 

${ISTIOCTL} analyze -n istio-egress --revision REVISION

 

Note: replace the word REVISION to your REVISION version of your configuration.

I hope the above information is helpful.

0 Likes
Top Labels in this Space