Extend secure ingress troubleshooting (#1774)

* add ./ to the script to generate certificates * add a step to verify the subject of the ingress gateway certificate * add a step to verify the subject of the CA certificate put the mutual TLS troubleshooting into a separate subsection * fix the level of the mutual TLS troubleshooting * remove redundant empty lines * verify the subject is correct -> verify that the subject is correct * another case: verify the subject is correct -> verify that the subject is correct
2018-07-12 18:00:37 +03:00 · 2018-07-12 18:00:37 +03:00 · 818e23232d
parent 478c599e64
commit 818e23232d
1 changed files with 22 additions and 4 deletions
--- a/content/docs/tasks/traffic-management/secure-ingress/index.md
+++ b/content/docs/tasks/traffic-management/secure-ingress/index.md
@ -45,7 +45,7 @@ from the https://github.com/nicholasjackson/mtls-go-example repository.
 1.  Generate the certificates (use any password):

    {{< text bash >}}
-    $ generate.sh httpbin.example.com <password>
+    $ ./generate.sh httpbin.example.com <password>
    {{< /text >}}

    The command will generate four directories: `1_root`, `2_intermediate`, `3_application`, and `4_client` containing the client
@ -268,13 +268,27 @@ they have valid values, according to the output of the following commands:

    `tls.crt` and `tls.key` should exist in the directory contents.

+1.  Verify that the _Subject_ is correct in the certificate of the ingress gateway:
+
+    {{< text bash >}}
+    $ kubectl exec -i -n istio-system $(kubectl get pod -l istio=ingressgateway -n istio-system -o jsonpath='{.items[0].metadata.name}')  -- cat /etc/istio/ingressgateway-certs/tls.crt | openssl x509 -text -noout | grep 'Subject:'
+        Subject: C=US, ST=Denial, L=Springfield, O=Dis, CN=httpbin.example.com
+    {{< /text >}}
+
 1.  Check the log of `istio-ingressgateway` for error messages:

    {{< text bash >}}
    $ kubectl logs -n istio-system -l istio=ingressgateway
    {{< /text >}}

-1.  For mutual TLS, verify that the CA certificate is loaded in the `istio-ingressgateway` pod:
+1.  For macOS users, verify that you use _curl_ compiled with the [LibreSSL](http://www.libressl.org) library, as
+    described in the [Before you begin](#before-you-begin) section.
+
+### Troubleshooting for mutual TLS
+
+In addition to the steps in the previous section, perform the following:
+
+1.  Verify that the CA certificate is loaded in the `istio-ingressgateway` pod:

    {{< text bash >}}
    $ kubectl exec -it -n istio-system $(kubectl -n istio-system get pods -l istio=ingressgateway -o jsonpath='{.items[0].metadata.name}') -- ls -al /etc/istio/ingressgateway-ca-certs
@ -282,8 +296,12 @@ they have valid values, according to the output of the following commands:

    `ca-chain.cert.pem` should exist in the directory contents.

-1.  For macOS users, verify that you use _curl_ compiled with the [LibreSSL](http://www.libressl.org) library, as
-    described in the [Before you begin](#before-you-begin) section.
+1.  Verify that the _Subject_ is correct in the CA certificate of the ingress gateway:
+
+    {{< text bash >}}
+    $ kubectl exec -i -n istio-system $(kubectl get pod -l istio=ingressgateway -n istio-system -o jsonpath='{.items[0].metadata.name}')  -- cat /etc/istio/ingressgateway-ca-certs/ca-chain.cert.pem | openssl x509 -text -noout | grep 'Subject:'
+    Subject: C=US, ST=Denial, L=Springfield, O=Dis, CN=httpbin.example.com
+    {{< /text >}}

 ## Cleanup