Istio Cannot Verify an HTTPS Certificate Generated by a Trusted Signing CA ​
Symptom ​
See the possible symptoms: Istiod logs include multiple warnings or errors containing the message x509: certificate signed by unknown authority.
- The JWT authorization flow does not function correctly, and requests with valid tokens result in a
401status error,Jwt verification fails. - Istio sidecars Envoy configuration for JWT is not up-to-date.
- Checking the server certificate chain reveals different root Certificate Authorities (CAs) than working servers.
Cause ​
By default, Istio requires that if an outbound connection to an HTTPS server is initiated, the server certificate must be signed by a trusted CA. This means that the client must recognize at least the root CA presented by the server. If the server uses an unrecognized root CA to generate its domain certificate, the HTTPS handshake fails, and the connection is not established. This issue might happen, for example, when the server uses an internal solution-specific root CA or it has been migrated to a new root CA that is not widely recognized. As a result, the JWKS fetch from the JWKS URI may fail.
Remedy ​
To ensure that the certificate is trusted by Istio, verify that you are using the most up-to-date version of the Istio module. If you are using SAP BTP, Kyma runtime, the solution guarantees that you have the most up-to-date version.
In case your Istio module version is up-to-date, but the verification is still failing, make sure that the CA root cert is trusted by istiod.