Issue with Envoy: "Unable to read server-key.pem"

Question

I've been stumped by this for a good while now and can't really move on with things until I've solved it so I'm coming to the community for some guidance.

I'm running a gRPC application with the frontend running in the browser, Envoy translating HTTP into HTTP/2 and routing requests to the backend. Everything is working fine with insecure connections. I've set up the backend to use TLS encryption, and that is all working perfectly too. The frontend has been secured so those messages are encrypted too. I've just run into a bit of a wall with Envoy. I'm pretty convinced that I've set things up correctly and that my certificates are all good (I'm using self-signed certificates for now, with the app running locally only).

The relevant parts of my Envoy configuration are:

transport_socket:
            name: envoy.transport_sockets.tls
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
              require_client_certificate: true
              common_tls_context:
                validation_context:
                  trusted_ca:
                    filename: ca-cert.pem
                  match_subject_alt_names:
                  - exact: localhost
                tls_certificates:
                - certificate_chain:
                    filename: server-cert.pem
                  private_key:
                    filename: "server-key.pem"

and:

transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
          common_tls_context:
            tls_certificates:
            - certificate_chain:
                filename: client-cert.pem
              private_key:
                filename: client-key.pem

I can build my Envoy image without issues, but on running it the container crashes with the logs stating: "error initializing configuration '/etc/envoy/envoy.yaml': unable to read file: client-key.pem" (It throws the same error with server-key.pem when I ommit the client part of the code.

Is there anyone who has run into something similar or have some more knowledge into the certificates? I have a decent understanding of TLS encryption but there is definitely room for misunderstanding on my part. The files are not password protected and shouldn't require special permissions to access so I'm not sure why Envoy can't read them.

Answer 1

I had a similar issue the other day, the excepted format for private keys is apparently something like:

-----BEGIN CERTIFICATE-----
****
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
****
-----END PRIVATE KEY-----

So you should concatenate the certificate with the private key by doing:

cat example.crt example.key > example.pem

And use:

private_key:
  filename: "example.pem"