Tetrate Istio SubscriptionVersion: Next

TIS0305 - Gateway Server Credentials are Invalid

Invalid TLS credentials in Gateway configurations can cause TLS handshake failures. This occurs when:

The certificate or private key is malformed
The certificate-key pairs don't match
The certificate has expired
The secret uses incorrect formatting

Recommendation

Ensure that TLS secrets referenced by Gateways contain:

Properly formatted and matching certificate-key pairs
Valid, non-expired certificates
Correct secret format and key names

Use tools like openssl to verify certificate validity, expiration dates, and key matching before applying them to your cluster.

Examples

Here are common scenarios that trigger this error:

Expired Certificate

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: cert-expired
  namespace: bookinfo
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 5443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        credentialName: "expired-secret"
      hosts:
        - "bookinfo.example.com"
---
apiVersion: v1
data:
  tls.crt: LS0tLS1CRUdJ...  # Expired certificate
  tls.key: LS0tLS1CRUdJ...  # Private key
kind: Secret
metadata:
  name: expired-secret
  namespace: bookinfo
type: kubernetes.io/tls

Explanation: The certificate has expired and needs to be renewed.

Invalid Certificate Name in Secret

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: invalid-cert-gateway1
  namespace: bookinfo
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 8443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        credentialName: "invalid-credential"  # Secret invalid certificate-key pair
      hosts:
        - "bookinfo.example.com"
---
apiVersion: v1
data:
  tls1.crt: LS0tLS1CRUdJTi...  # Incorrect certificate name
  tls.key: LS0tLS1CRUdJTiB...  
kind: Secret
metadata:
  name: invalid-credential
  namespace: bookinfo
type: Opaque

Explanation: Certificate name is incorrect, it should be tls.crt.

Invalid Certificate Key Name

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: invalid-cert-gateway1
  namespace: bookinfo
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 8443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        credentialName: "invalid-credential"  # Secret invalid certificate-key pair
      hosts:
        - "bookinfo.example.com"
---
apiVersion: v1
data:
  tls.crt: LS0tLS1CRUdJTi...  
  tls1.key: LS0tLS1CRUdJTiB...  # Incorrect key name
kind: Secret
metadata:
  name: invalid-credential
  namespace: bookinfo
type: Opaque

Explanation: Key name is incorrect, it should be tls.key.

Recommendation

Renew Expired Certificates

Renew the expired certificates and update the secret with the new certificate-key pair.

Ensure Correct Name in Secret

Ensure the certificate key in the secret is named tls.crt and the private key is named tls.key.

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: invalid-cert-gateway1
  namespace: bookinfo
spec:
  selector:
    istio: ingressgateway
  servers:
    - port:
        number: 8443
        name: https
        protocol: HTTPS
      tls:
        mode: SIMPLE
        credentialName: "valid-credential"  
      hosts:
        - "bookinfo.example.com"
---
apiVersion: v1
data:
  tls.crt: LS0tLS1CRUdJTi...  
  tls.key: LS0tLS1CRUdJTiB...  
kind: Secret
metadata:
  name: valid-credential
  namespace: bookinfo
type: Opaque

Examples​

Recommendation​

Examples

Recommendation