Environment
Platform: Kubernetes
Kubernetes/Platform Version(s): v1.30.4
Describe the bug
I'm deploying Neuvector v5.4.1 with Istio deployed that handles SSL. When deploying the Helm chart with manager.env.ssl = false, I see errors in the manager pod and an error when hitting my URL: "upstream connect error or disconnect/reset before headers. retried and the latest reset reason: remote connection failure, transport failure reason: delayed connect error: 111". I have also tried on 5.4.2 with the same issue that THIS ISSUE describes. I am not sure if I am missing a setting or if there is something else I am doing, but I cannot figure out why this error is happening.
2025-02-05 16:10:50,918|INFO |MANAGER|apache.pekko.event.slf4j.Slf4jLogger(applyOrElse:117): Slf4jLogger started Exception in thread "main" java.lang.ExceptionInInitializerError at org.apache.pekko.http.scaladsl.HttpExt.sslTlsStage(Http.scala:858) at org.apache.pekko.http.scaladsl.HttpExt.sslTlsServerStage(Http.scala:845) at org.apache.pekko.http.scaladsl.HttpExt.fuseServerBidiFlow(Http.scala:114) at org.apache.pekko.http.scaladsl.HttpExt.bindAndHandle(Http.scala:253) at org.apache.pekko.http.scaladsl.HttpExt.bindAndHandleImpl(Http.scala:309) at org.apache.pekko.http.scaladsl.HttpExt.bindAndHandleAsync(Http.scala:374) at org.apache.pekko.http.scaladsl.HttpExt.bindAndHandleAsyncImpl(Http.scala:387) at org.apache.pekko.http.scaladsl.ServerBuilder$Impl.bind(ServerBuilder.scala:160) at com.neu.core.BootedCore.$init$(Core.scala:35) at com.neu.web.Rest$.<clinit>(Rest.scala:8) at com.neu.web.Rest.main(Rest.scala) Caused by: java.security.ProviderException: Could not initialize NSS at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:295) at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:179) at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:153) at java.base/java.security.AccessController.doPrivileged(AccessController.java:569) at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:153) at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:257) at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:248) at java.base/java.security.AccessController.doPrivileged(AccessController.java:318) at java.base/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:248) at java.base/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:226) at java.base/sun.security.jca.ProviderList.getProvider(ProviderList.java:268) at java.base/sun.security.jca.ProviderList.getService(ProviderList.java:381) at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:157) at java.base/javax.net.ssl.SSLContext.getInstance(SSLContext.java:185) at java.base/javax.net.ssl.SSLContext.getDefault(SSLContext.java:110) at org.apache.pekko.stream.scaladsl.TLSPlacebo$.<clinit>(TLS.scala:232) ... 11 more Caused by: java.io.IOException: configDir must be a directory: /etc/pki/nssdb at jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.initialize(Secmod.java:218) at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:290) ... 26 more
To Reproduce
Steps to reproduce the behavior:
- Set manager.env.ssl to false in the Helm chart
- Use 5.4.1 images
- See error
Expected behavior
The manager pod should run without errors. Istio should be able to handle SSL termination at the gateway and route traffic to the service with the virtual service successfully.
Environment
Platform: Kubernetes
Kubernetes/Platform Version(s): v1.30.4
Describe the bug
I'm deploying Neuvector v5.4.1 with Istio deployed that handles SSL. When deploying the Helm chart with manager.env.ssl = false, I see errors in the manager pod and an error when hitting my URL: "upstream connect error or disconnect/reset before headers. retried and the latest reset reason: remote connection failure, transport failure reason: delayed connect error: 111". I have also tried on 5.4.2 with the same issue that THIS ISSUE describes. I am not sure if I am missing a setting or if there is something else I am doing, but I cannot figure out why this error is happening.
2025-02-05 16:10:50,918|INFO |MANAGER|apache.pekko.event.slf4j.Slf4jLogger(applyOrElse:117): Slf4jLogger started Exception in thread "main" java.lang.ExceptionInInitializerError at org.apache.pekko.http.scaladsl.HttpExt.sslTlsStage(Http.scala:858) at org.apache.pekko.http.scaladsl.HttpExt.sslTlsServerStage(Http.scala:845) at org.apache.pekko.http.scaladsl.HttpExt.fuseServerBidiFlow(Http.scala:114) at org.apache.pekko.http.scaladsl.HttpExt.bindAndHandle(Http.scala:253) at org.apache.pekko.http.scaladsl.HttpExt.bindAndHandleImpl(Http.scala:309) at org.apache.pekko.http.scaladsl.HttpExt.bindAndHandleAsync(Http.scala:374) at org.apache.pekko.http.scaladsl.HttpExt.bindAndHandleAsyncImpl(Http.scala:387) at org.apache.pekko.http.scaladsl.ServerBuilder$Impl.bind(ServerBuilder.scala:160) at com.neu.core.BootedCore.$init$(Core.scala:35) at com.neu.web.Rest$.<clinit>(Rest.scala:8) at com.neu.web.Rest.main(Rest.scala) Caused by: java.security.ProviderException: Could not initialize NSS at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:295) at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:179) at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11$1.run(SunPKCS11.java:153) at java.base/java.security.AccessController.doPrivileged(AccessController.java:569) at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.configure(SunPKCS11.java:153) at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:257) at java.base/sun.security.jca.ProviderConfig$3.run(ProviderConfig.java:248) at java.base/java.security.AccessController.doPrivileged(AccessController.java:318) at java.base/sun.security.jca.ProviderConfig.doLoadProvider(ProviderConfig.java:248) at java.base/sun.security.jca.ProviderConfig.getProvider(ProviderConfig.java:226) at java.base/sun.security.jca.ProviderList.getProvider(ProviderList.java:268) at java.base/sun.security.jca.ProviderList.getService(ProviderList.java:381) at java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:157) at java.base/javax.net.ssl.SSLContext.getInstance(SSLContext.java:185) at java.base/javax.net.ssl.SSLContext.getDefault(SSLContext.java:110) at org.apache.pekko.stream.scaladsl.TLSPlacebo$.<clinit>(TLS.scala:232) ... 11 more Caused by: java.io.IOException: configDir must be a directory: /etc/pki/nssdb at jdk.crypto.cryptoki/sun.security.pkcs11.Secmod.initialize(Secmod.java:218) at jdk.crypto.cryptoki/sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:290) ... 26 moreTo Reproduce
Steps to reproduce the behavior:
Expected behavior
The manager pod should run without errors. Istio should be able to handle SSL termination at the gateway and route traffic to the service with the virtual service successfully.