Envoy: HTTPS unavailable after load private key failed.

I've tested key with OpenSSL:

$ openssl rsa -in server.key -check -noout
4631098988:error:04FFF07E:rsa routines:CRYPTO_internal:iqmp not inverse of q:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.230.1/libressl-2.6/crypto/rsa/rsa_chk.c:199:

cc @PiotrSikora

@exiaohao per the message you pasted, the private key is corrupted:

$ openssl rsa -in server.key -check -noout
RSA key error: iqmp not inverse of q

BoringSSL (and therefore Envoy) won't accept it:

$ bssl s_server -accept 12345 -key server.key -cert server.crt
Failed to load private key: server.key
94140145633672:error:0400006f:RSA routines:OPENSSL_internal:CRT_VALUES_INCORRECT:/path/to/boringssl/crypto/fipsmodule/rsa/rsa.c:747:
94140145633672:error:04000068:RSA routines:OPENSSL_internal:BAD_RSA_PARAMETERS:/path/to/boringssl/crypto/rsa_extra/rsa_asn1.c:193:
94140145633672:error:06000066:public key routines:OPENSSL_internal:DECODE_ERROR:/path/to/boringssl/crypto/evp/p_rsa_asn1.c:146:
94140145633672:error:13000068:PKCS8 routines:OPENSSL_internal:DECODE_ERROR:/path/to/boringssl/crypto/pkcs8/pkcs8_x509.c:128:
94140145633672:error:0900000c:PEM routines:OPENSSL_internal:ASN.1 encoding routines:/path/to/boringssl/crypto/pem/pem_pkey.c:139:
94140145633672:error:10000009:SSL routines:OPENSSL_internal:PEM routines:/path/to/boringssl/ssl/ssl_file.cc:487:

Surprisingly, OpenSSL accepts it (even though it says it's corrupted in the openssl rsa -check):

$ openssl s_server -accept 12345 -key server.key -cert server.crt
Using default temp DH parameters
ACCEPT

There is not much we can do about it on the Envoy side, you should contact your CA and let them know that they produce corrupted private keys (but really, you should be generating private keys yourself, and only let CA generate the public certificate).

@PiotrSikora Thanks for your help, I know it's something wrong with CA and issuer.

But on envoy side, a corrupted private key should NOT cause envoy's HTTPS port down after restart, it should keep running without the private key which is corrupted. And logs can more detail, it helps us find out which cert/key is illegal.

@exiaohao as far as I understand your original message, this works as intended.

When you replace working private key with corrupted private key over xDS, the configuration is rejected and Envoy continues to serve traffic using the last known good configuration.

When your restart (i.e. stop and start) Envoy with configuration depending on the corrupted private key, then Envoy cannot revert to the last known good configuration, since the very first configuration is already broken.

If you expect Envoy to start with all filter chains working, other than the one with corrupted private key, then that's not something that's supposed to work, because you'd have (a) only part of the supplied configuration loaded, leading to unexpected behavior, (b) silent failure, since it's unlikely that you'd notice this if Envoy started and served traffic.

@PiotrSikora yes we'd notice this warning and resolve it asap.
I mean is there a way to minimize the impact after restart with the private key is corrupted(e.g. pass the bad configuration, keep others running). HTTPS services are totally down is unacceptable and leads a terrible affect.

@exiaohao you should validate the configuration before restarting Envoy with it, i.e.

envoy-static --mode validate -c production.yaml && <whatever you do to restart Envoy>

This way, you won't restart Envoy if your configuration includes corrupted private key (or any other errors, for that matter), leading to the same behavior as xDS, i.e. using the last good know configuration and ignoring the invalid one.

@PiotrSikora It's a good idea, I'll validate the configuration and cert/key before apply.

I get the same error with Envoy 1.14.1, using SDS.

Error:

type_url: "type.googleapis.com/envoy.api.v2.auth.Secret"
response_nonce: "2020-06-03 18:01:38.723546738 -0700 PDT m=+0.283259137"
error_detail {
  code: 13
  message: "Failed to load private key from <inline>"
}

The key was generated with openssl, using the Istio makefile:

-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEApe+w59hkF8Sl3ipRYqJU0fNZ+mDqQia8IpbYFgg8lIbAfowH
ETT0eiRsQ861tnYZvXlRnMAj8xBXzm23kDKrnd8ex6SNRKcAt4nysi+1wWBMRURp
y+DnOIhcGtNKorcU+h8cCFdNtdxO5nEdxbhCEqGSyL5Xb5tMxBCdSwJ65BJoRNgI
JnFjIReFJRiGrpra7JOcnRDYXdCky7R6Pky8S9jHx834pNclZEDJLz9dO+amXzrj
MDWiY3qpm/ZIl7HkqBsluLR1x1MgyG34F4gFmFa2eMIcUOTf2GIcy4vcnIlBm6si
Wd97IeC8qW1CtzeVhRK0oxgsO/m6RpScF5w1c8B7Zs76poT+xsq/yKRhvbFlz3O5
5Bg+4BoWyWcG48kA8aciNe3Z8q390EwzAg9X2fmY1MShjNxTqPe9T7FEJr+euhsf
LdKxi3+sDKblbQNdd9wRhv1Eq8hqoyhRpt6wUdaUfF3S+wnBnVEQPXPcAXCTknhp
PSXyfV8H9YDTBg6/lYb4dORt+2rbs/yYQdCKjbXlGxInLPQmDCPgsi1eBVEeHLIn
HXBZAfivVYdH4K/UtSZHfbmUHnjWfQojOYcDaCOLJM605ekM1t0Upl/PNhlqMxzn
aCjADENHiJqbHjrcoHZ7gC5FY/VLX6Fcd3BkJscJFPRZd3BcCgzx9ZW0870CAwEA
AQKCAgArqn2lJR6B2q/DXON5zzn+3ckJyEMdEVBk0ckfUx+N/j/djT+22XaURc1v
so/C6iUv5SMC2tUa+2v/2IN7oLnkm3hgFP9P15qqsdR563Aq6QppF+23RwHRsKB8
NqnnU8JjZ5ha4Y6Dkuv4XD/3bduFR5t21A/yQK3c0npx6L8qEWX659aNNz1c0fGp
p2CZxgpiQx3tfydQ2LzlFiMtDchnNS6td5g82JjwXtQSaNxCDRou6TIr15FaGEdV
0WOc96UyT6KHjoWH5Go2FCo7FwJR6k+uS3ZkGzaEnJzzO2TclIn9SvWJLPQcICXF
eAkcabYhBKEgYhYR2k+YjzbcR7EQzlZc3AC5FakVV3OYi3883pollRev5h8TjbAi
UnEOa0HW1F1CWOjYdJfpsQxL5E4xPm9qhDW5qJYL9WkX5xPZkaqPlpsobLtPK0Lh
HMbgfGd6EnpG9CVPnl6LWSH61RYq00UCTswzCccr+a0S9zuljWKWlF5weYCwQKMZ
0pInrvGG1qOZLB+hzDWsVG6Uw1e1XbyF3s8kE0GbbhXZcWA9ON3d8OZ+YXjUlXcb
2ULj1dn7nzeMOW9AGI/UA8SfacGU7934hiaoa+nTrX4BhSQLYI+xXOGh4zsKOkhH
SxqjBUBHy0yVlnAKZiuHy7KaM9qLWYZFbFk0hNzziLx5OvE0QQKCAQEAzvaPy2+k
Cv1+N793Tgxtt+FmGIm3M/rsWvl13O+jeCaaRo08XQj9z3vOjikoSUY27NjshLtL
XaTV4rCiCr2MWOLbuE2RkaHspFWEvTiNRlATeIppBPe0rT+r36BM7aB9HS4FhSHy
FWZN6mw7vSz1Fl1baShIFDl9y84VdR5PYaQKRNI0fgkMZhwLKt9tNWZbpY0qUPl+
6eFFsVhupbugaVDqytIjQxl34r9eoaoUNPEuu41MAE9JRGOp0JoRdgFqado4U6bQ
XmtSfpkIptt4aeSYf/De27hlQJiU4oy2jbfeW92sPsM/1zwBqlNBTawwFaAdF68N
Xxu1ZZGwMk4IpQKCAQEAzUCg8kzqdAkEZwyMm6h2kk53M75dymwf+GrIQ6Z7t4o9
30oIHD5G/p/1MyDYT1/17fQOE+XuZLXSpRwn7tl7iG2Ic5Tac8WrSaDdPcgb3hDj
ZRiY0BHFUvMCGF7g4z33rOdvdP3XI2i7me0PN5SGcanKiRuoFsgzxtVf0/O8zimA
JxFD0XeUNIZLTOJYqNmrBWuCvZnR/IceJoMLsrdniAMB4v20f9ofzFDJjswvVIjV
/iQKV8BfKwJE6ADAieH6JCssXhd1AoHvX/jTQz7YEb5l97v653um0A7KlJwaqs8A
7hvH9MTHQAYxpvYfoBSDWpuaGRJPQhD47CIqBks7OQKCAQAI3hebJ9VngyT9Tn7W
IUIyNr4hHwVyfLXT0Ax0wu/GHiFOFI8ZjWESmsNm4+yN9ywzSbgYl83K3V0ssVTA
EQ8KX+36H5i1HLL+94sQcHPdJ2EuMP/+7n4XTjsXAc9J/y5dKbOi2Kl+sTt1Z93H
ZT27D5TzFH7CHxR8vv+8XOgZzuWBvV/yZoDZfyobVCdhulkC5uGBRq9hZf2Oc7OJ
9lgRKx5kQkywe07fsENludvTyOGvt4YiHUOOYpbMEU3eOIFOt8LiEquq3/5Q3k24
mH64Sssd8DwcPfJYqjD25ACOYeptFTpkFgmON0v6+EY8BbypsIqOkTmJca58A5oB
DcbhAoIBAQCyxcnpgWjsLDZzcxC9O1wbTtCwduzGNKsb+hX4Jne3g2ckpxytTOkV
OkmdgMwnRpOz8FCasDiV63BPc1isxyy7xXuGAG7NS6xHcx+Agl0TbG5DTcs7316Z
QyPeCjWieATTyrjfk4DhTIWqKjqI1IrNUXAhP7+GKFZApvTSbYdTof4HCRiix56E
qTvI+ZTzbLNzAxNbBTFK3H08WgPEY85/Pu9TwFqIyXnMwcjs4ZeP76dDtix0BhBe
K5nM4WrSLctr2VbJlXDLAFV4qAeKmKAlxEqYHlkJaj//FAMKsXTgtXA/9F6TKRnL
ABobLGCbU4KdVs4/bB0wlAvb0F3+IWSxAoIBAFHB/P+LrFEQzb331cxz6gMvqCy6
Bnoj2xjpU0EolHjLb1BIfG/t9K7L4G8qcOepGiY/jO75c87OePRkppPLMF28xuWt
BBHLrcQxeLFmXyjiEo3gq1NsaFi3VhbmBz9+fwdmyYXmDpE7qiDYbG1VyrBnz/FV
fY5WAM2n3hoP0hnT3MZ+jVjkrLX6KkmBcFve2wrGPuVKO2F1qzIKKkFcwliDFwIT
mjOFeh5ninIIbn3ESBuDZicryNb+5eoFtXOEsPj+a/7J0SgB6y/xrEU2A1u+Ioit
j/1K6JLd2jTPa8cYXSJrwpbk1lR7lMXpAesNUhidWZzTjBs1y3eYS0eBduY=
-----END RSA PRIVATE KEY-----

More logs from envoy - I started with trace, I don't see any info on why it was rejected.

2020-06-03T18:01:38.724426Z     debug   envoy http      [external/envoy/source/common/http/async_client_impl.cc:96] async http request response headers (end_stream=false):
':status', '200'
'content-type', 'application/grpc'

2020-06-03T18:01:38.724435Z     trace   envoy http2     [external/envoy/source/common/http/http2/codec_impl.cc:515] [C0] about to recv frame type=0, flags=0
2020-06-03T18:01:38.724441Z     trace   envoy http2     [external/envoy/source/common/http/http2/codec_impl.cc:530] [C0] recv frame type=0
2020-06-03T18:01:38.724449Z     trace   envoy http      [external/envoy/source/common/http/async_client_impl.cc:112] async http request response data (length=6061 end_stream=false)
2020-06-03T18:01:38.724463Z     debug   envoy config    [external/envoy/source/common/config/grpc_mux_impl.cc:129] Received gRPC message for type.googleapis.com/envoy.api.v2.auth.Secret at version 2020-06-03 18:01:38.723546738 -0700 PDT m=+0.283259137
2020-06-03T18:01:38.724597Z     debug   envoy config    [external/envoy/source/extensions/transport_sockets/tls/ssl_socket.cc:638] Secret is updated.
2020-06-03T18:01:38.727934Z     warning envoy config    [external/envoy/source/common/config/grpc_subscription_impl.cc:101] gRPC config for type.googleapis.com/envoy.api.v2.auth.Secret rejected: Failed to load private key from <inline>
2020-06-03T18:01:38.727943Z     debug   envoy init      [external/envoy/source/common/init/watcher_impl.cc:14] target SdsApi default initialized, notifying init manager Cluster xds-grpc

@costin can you paste matching certificate? It's hard for me to test it without it.

Hi @PiotrSikora , I ran into the same issue recently. I'm using Envoy 1.12 as an edge proxy to terminate TLS. It's powered by LDS grpc server that dynamically retrieves TLS certificate and builds a listener snapshot. The issue I observed recently is that in case if one of the certs is corrupted, Envoy starts error-ing out with this following error:

Failed to load private key from <inline> and in case if there the server is restarted, the entire cached config is gone, which leads to a hard down of the edge proxy.

Could you please clarify if this is fixed in the latest Envoy versions? Same goes to making the error log message more descriptive, as it's pretty hard to know which one of the hundreds of certs is corrupted.

Also, can I use this command envoy-static --mode validate -c production.yaml && <whatever you do to restart Envoy> for dynamically generated envoy configurations?

Hi @PiotrSikora , I ran into the same issue recently. I'm using Envoy 1.12 as an edge proxy to terminate TLS. It's powered by LDS grpc server that dynamically retrieves TLS certificate and builds a listener snapshot. The issue I observed recently is that in case if one of the certs is corrupted, Envoy starts error-ing out with this following error:

Failed to load private key from <inline> and in case if there the server is restarted, the entire cached config is gone, which leads to a hard down of the edge proxy.

Could you please clarify if this is fixed in the latest Envoy versions?

I believe this is fixed if you're using SDS, since then only filter chain(s) with broken TLS certificate(s) won't work.

With LDS alone, I think it's still "broken", since the whole LDS update would be rejected, but there were so many changes to listeners over the past year that I'm not 100% if that's the case. You could always verify it yourself.

In any case, your control plane should verify that the configuration (including TLS certificates) is correct before pushing it out.

Also, you definitely shouldn't be using Envoy v1.12, it reached EOL and there is a ton of bugs fixed since it was released.

Same goes to making the error log message more descriptive, as it's pretty hard to know which one of the hundreds of certs is corrupted.

I agree, but the inlined certificates have no names, and neither do filter chains or listeners, so it's pretty hard to give a more descriptive error.

Also, can I use this command envoy-static --mode validate -c production.yaml && <whatever you do to restart Envoy> for dynamically generated envoy configurations?

I believe this only validates production.yaml and not the dynamic configuration, which could change between the time you verify it and the time you restart Envoy anyway.