Skip to main content
logoTetrate Istio SubscriptionVersion: Next

TIS0303 - Duplicate Certificates in Multiple Gateways

Duplicate certificates in multiple Gateway resources may cause 404 errors if clients reuse HTTP2 connections.

Recommendation: Avoid Duplicate Certificates Across Gateways

To prevent routing issues such as 404 errors when clients reuse HTTP2 connections, avoid using the same certificates in multiple Gateway resources for the same host. Consolidate configurations or use unique certificates.

Examples

  1. Two Gateways Using the Same Certificate

    First Gateway:

    apiVersion: networking.istio.io/v1beta1
    kind: Gateway
    metadata:
      name: gateway-1
      namespace: example-namespace
    spec:
      selector:
        istio: ingressgateway
      servers:
      - port:
          number: 443
          name: https
          protocol: HTTPS
        hosts:
        - "example.com"
        tls:
          mode: SIMPLE
          credentialName: example-cert

    Second Gateway:

    apiVersion: networking.istio.io/v1beta1
    kind: Gateway
    metadata:
      name: gateway-2
      namespace: example-namespace
    spec:
      selector:
        istio: ingressgateway
      servers:
      - port:
          number: 443
          name: https
          protocol: HTTPS
        hosts:
        - "example.com"
        tls:
          mode: SIMPLE
          credentialName: example-cert

    Explanation: Both Gateway resources are using the same certificate (credentialName: example-cert) for the same host. This can cause issues, such as 404 errors, when clients reuse HTTP2 connections, since the certificates being used by multiple Gateways can create routing ambiguities.

Recommendation

Consolidate the certificates by using a single Gateway for the host, or ensure that different certificates are used to prevent conflicts.

  1. Use a Single Gateway for the Host

    Consolidate the configurations into a single Gateway to avoid certificate duplication.

    apiVersion: networking.istio.io/v1beta1
    kind: Gateway
    metadata:
      name: consolidated-gateway
      namespace: example-namespace
    spec:
      selector:
        istio: ingressgateway
      servers:
      - port:
          number: 443
          name: https
          protocol: HTTPS
        hosts:
        - "example.com"
        tls:
          mode: SIMPLE
          credentialName: example-cert

  2. Use Different Certificates for Each Gateway

    If multiple Gateways are required, use different certificates for each gateway to prevent routing issues.

    apiVersion: networking.istio.io/v1beta1
    kind: Gateway
    metadata:
      name: gateway-1
      namespace: example-namespace
    spec:
      selector:
        istio: ingressgateway
      servers:
      - port:
          number: 443
          name: https
          protocol: HTTPS
        hosts:
        - "example.com"
        tls:
          mode: SIMPLE
          credentialName: example-cert-1
    apiVersion: networking.istio.io/v1beta1
    kind: Gateway
    metadata:
      name: gateway-2
      namespace: example-namespace
    spec:
      selector:
        istio: ingressgateway
      servers:
      - port:
          number: 443
          name: https
          protocol: HTTPS
        hosts:
        - "example.com"
        tls:
          mode: SIMPLE
          credentialName: example-cert-2