From 9de471a0354507f81aa8f15ea11c7c210dcc1dfd Mon Sep 17 00:00:00 2001
From: Vadim Eisenberg <vadime@il.ibm.com>
Date: Tue, 17 Jul 2018 14:56:36 +0300
Subject: [PATCH] add a check of Envoy's certificates to the troubleshooting
 section (#1845)

* add a check of Envoy's certificates to the troubleshooting section

based on https://github.com/istio/istio/issues/7009#issuecomment-405195183

* fix tabs for lint checker
---
 .../tasks/traffic-management/secure-ingress/index.md   | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/content/docs/tasks/traffic-management/secure-ingress/index.md b/content/docs/tasks/traffic-management/secure-ingress/index.md
index 94baa8f7ef..e412a513ed 100644
--- a/content/docs/tasks/traffic-management/secure-ingress/index.md
+++ b/content/docs/tasks/traffic-management/secure-ingress/index.md
@@ -276,6 +276,16 @@ they have valid values, according to the output of the following commands:
         Subject: C=US, ST=Denial, L=Springfield, O=Dis, CN=httpbin.example.com
     {{< /text >}}
 
+1.  Verify that the proxy of the ingress gateway is aware of the certificates:
+
+    {{< text bash >}}
+    $ kubectl exec -ti $(kubectl get po -l istio=ingressgateway -n istio-system -o jsonpath={.items[0]..metadata.name}) -n istio-system -- curl  127.0.0.1:15000/certs
+    {
+      "ca_cert": "",
+      "cert_chain": "Certificate Path: /etc/istio/ingressgateway-certs/tls.crt, Serial Number: 100212, Days until Expiration: 370"
+    }
+    {{< /text >}}
+
 1.  Check the log of `istio-ingressgateway` for error messages:
 
     {{< text bash >}}