envoyproxy/gateway

Expired certificate combined with valid chain causes configuration stall

Open

#9.225 geöffnet am 15. Juni 2026

Auf GitHub ansehen
 (1 Kommentar) (2 Reaktionen) (1 zugewiesene Person)Go (802 Forks)auto 404
cherrypick/release-v1.7.6cherrypick/release-v1.8.2help wantedkind/bugtriage

Repository-Metriken

Stars
 (2.871 Stars)
PR-Merge-Metriken
 (PR-Metriken ausstehend)

Beschreibung

Description:

After upgrading from Envoy Gateway v1.7.3 to v1.7.4, TLS secrets containing a expired certificate and unexpired chain are rejected by Envoy with KEY_VALUES_MISMATCH, even though the private key correctly matches the certificate. It looks like the expired certificate gets removed but the chain is kept and it tries to match the private key to the chain certificate.

Because of this the complete configuration is invalid and gets rejected by Envoy. This causes configuration stall and envoy configurations don't get updated.

Repro steps: 1: Setup a gateway with a valid certificate 2: generate self signed invalid certificates

# Generate a CA (simulating intermediate)
openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:P-384 \
  -keyout ca-key.pem -out ca.pem -days 1 -nodes -subj "/CN=Fake Intermediate"

# Generate a cert signed by that CA and expired
openssl req -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 \
  -keyout cert-key.pem -out cert-csr.pem -nodes -subj "/CN=test.example.com"
openssl x509 -req -in cert-csr.pem -CA ca.pem -CAkey ca-key.pem \
  -CAcreateserial -out cert.pem -days 0

# Create chain file (certificate + intermediate)
cat cert.pem ca.pem > fullchain.pem

3: Replace the certificate with an expired one.

kubectl create secret tls <secret name> \
  --cert=fullchain.pem \
  --key=cert-key.pem \
  -n <gateway-namespace>

Environment: Envoy Gateway v1.7.4 Envoy Proxy v1.37.3

Logs:

Envoy rejected the last update with code 13 and message Failed to load private key from <inline>, Cause: error:0b000074:X.509 certificate routines:OPENSSL_internal:KEY_VALUES_MISMATCH

Contributor Guide