ContextQMD
Back to Istio Io

NoServerCertificateVerificationPortLevel

content/en/docs/reference/config/analysis/ist0129/index.md

latest1.2 KB
Original Source

This message occurs when caCertificates is not set in a destination rule, but is needed for the traffic policy.

Example

You will receive this message:

{{< text plain >}} Error [IST0129] (DestinationRule db-tls.default) DestinationRule default/db-tls in namespace default has TLS mode set to SIMPLE but no caCertificates are set to validate server identity for host: mydbserver.prod.svc.cluster.local at port number:443 {{< /text >}}

when your cluster has the following destination rule:

{{< text yaml >}} apiVersion: networking.istio.io/v1 kind: DestinationRule metadata: name: db-tls spec: host: mydbserver.prod.svc.cluster.local trafficPolicy: portLevelSettings: - port: number: 443 tls: mode: SIMPLE clientCertificate: /etc/certs/myclientcert.pem privateKey: /etc/certs/client_private_key.pem sni: my-nginx.mesh-external.svc.cluster.local # caCertificates not set {{< /text >}}

In this example, the destination rule db-tls specifies TLS, but does not set the CA certificate file.

How to resolve

  • Supply the filename of a CA certificate
  • Change the traffic policy so that a certificate is not needed