This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Unable to access API using hybrid runtime istio ingress gateway --- SSL error

Posted on 04-27-2020 04:45 AM
basavarajdhanas
New Member
Reply posted on --/--/---- --:-- AM

Hi All,

I was trying Apigee hybrid installation on GCP.

Installation is all success and I can see the proxy is been deployed to the runtime pods for the specific environment.

But I am unable to access the API through the Istio ingress gateway for APIs. I am getting below SSL error. SSL certificate pairs have been generated using lets-encrypt commands which were given in the documentation.

curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api-qa.mydomain.in:443

Here is my configuration file:

gcp:
  projectID: gcp-project-id
# Apigee org name.
org: apigee-demo-trial-ou47h
# Kubernetes cluster name details
k8sCluster:
  name: apigee-demo-cluster
  region: "us-east1"


virtualhosts:
  - name: default
    hostAliases: 
        - "api-qa.mydomain.in"
    # either SSLSecret or the paths
    sslSecret: "qa-sslsecret"
    # Certificate for the domain name; this can be self signed.
    sslCertPath: /certs/fullchain.pem
    # Private key for the domain name; this can be self signed.
    sslKeyPath: ./certs/privkey.pem
    # optional
    routingRules:
      - env: qa
        paths: 
        - /myproxy  
        # optional, connect timeout in seconds
        connectTimeout: 57


envs:
    # Apigee environment name.
  - name: qa
    # Service accounts for sync and UDCA.
    serviceAccountPaths:
      synchronizer: ./service-accounts/gcp-project-id-apigee-synchronizer.json
      udca: ./service-accounts/gcp-project-id-apigee-udca.json
Solved Solved
0 2 1,043
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
basavarajdhanas
New Member
Reply posted on --/--/---- --:-- AM

a mistake in my override file only. Its working after correcting the file.

Either use K8S secret or use SSL certificate pair path.

Corrected contents:

gcp:
  projectID: gcp-project-id
# Apigee org name.
org: apigee-demo-trial-ou47h
# Kubernetes cluster name details
k8sCluster:
  name: apigee-demo-cluster
  region: "us-east1"


virtualhosts:
  - name: default
    hostAliases: 
        - "api-qa.mydomain.in"

    # Certificate for the domain name; this can be self signed.
    sslCertPath: /certs/fullchain.pem
    # Private key for the domain name; this can be self signed.
    sslKeyPath: ./certs/privkey.pem
    # optional
    routingRules:
      - env: qa
        paths: 
        - /myproxy  
        # optional, connect timeout in seconds
        connectTimeout: 57


envs:
    # Apigee environment name.
  - name: qa
    # Service accounts for sync and UDCA.
    serviceAccountPaths:
      synchronizer: ./service-accounts/gcp-project-id-apigee-synchronizer.json
      udca: ./service-accounts/gcp-project-id-apigee-udca.json

View solution in original post

Jump to Solution
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
williamspaul-1
Staff
Reply posted on --/--/---- --:-- AM

The first thing to check is that your domain (api-qa.mydomain.in) resolves to the external IP address on your GKE cluster (currently 199.59.242.153 - reverse resolves to bodis.com, not googleusercontent.com).

The error that is reported indicates that nothing is listening on that address.

In fact, I took the time to scan the host, and I did not see that any services are being hosted on that IP address.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
basavarajdhanas
New Member
Reply posted on --/--/---- --:-- AM

a mistake in my override file only. Its working after correcting the file.

Either use K8S secret or use SSL certificate pair path.

Corrected contents:

gcp:
  projectID: gcp-project-id
# Apigee org name.
org: apigee-demo-trial-ou47h
# Kubernetes cluster name details
k8sCluster:
  name: apigee-demo-cluster
  region: "us-east1"


virtualhosts:
  - name: default
    hostAliases: 
        - "api-qa.mydomain.in"

    # Certificate for the domain name; this can be self signed.
    sslCertPath: /certs/fullchain.pem
    # Private key for the domain name; this can be self signed.
    sslKeyPath: ./certs/privkey.pem
    # optional
    routingRules:
      - env: qa
        paths: 
        - /myproxy  
        # optional, connect timeout in seconds
        connectTimeout: 57


envs:
    # Apigee environment name.
  - name: qa
    # Service accounts for sync and UDCA.
    serviceAccountPaths:
      synchronizer: ./service-accounts/gcp-project-id-apigee-synchronizer.json
      udca: ./service-accounts/gcp-project-id-apigee-udca.json
Jump to Solution
0 Likes