TLS connection between Linkerds in 2 different clusters

Hi all -

We’re trying to establish a SSL connection between two cluster using Linkerd as proxy.

The internal-linker look something like this:

---
admin:
  ip: 0.0.0.0
  port: 4446

routers:
- protocol: http
  servers:
  - port: 3127
    ip: 0.0.0.0
  client:
    tls:
      commonName: <NAME>
      trustCerts:
      - /mnt/mesos/sandbox/certificates/certificate.pem
  dtab: >-
    /%/io.l5d.localhost/#/io.l5d.marathon                    => /#/io.l5d.marathon;
    /<DOMAIN_NAME>          => /#/io.l5d.marathon;
    /env/dev                                                 => /#/io.l5d.fs;
    /<DOMAIN_NAME_WILDCARD>    => /env/dev/ssl-internal;
    /host                                                    => /$/io.buoyant.http.domainToPathPfx/domain;
    /svc                                                     => /host
  label: outgoing
  bindingTimeoutMs: 15000
  interpreter:
    kind: default
    transformers: # tranform all outgoing requests to deliver to incoming linkerd port 3126
    - kind: io.l5d.port
      port: 3126
- protocol: http
  servers:
  - port: 3126
    ip: 0.0.0.0
    # accept incoming TLS traffic from remote Linkerd
    tls:
      certPath: /mnt/mesos/sandbox/certificates/certificate.pem
      keyPath: /mnt/mesos/sandbox/certificates/key.pem
  dtab: >-
    /%/io.l5d.localhost/#/io.l5d.marathon                    => /#/io.l5d.marathon;
    /<DOMAIN_NAME>          => /#/io.l5d.marathon;
    /env/dev                                                 => /#/io.l5d.fs;
    /<DOMAIN_NAME_WILDCARD>    => /env/dev/ssl-internal;
    /host                                                    => /$/io.buoyant.http.domainToPathPfx/domain;
    /svc                                                     => /host
  label: incoming
  interpreter:
    kind: default
    transformers:
    - kind: io.l5d.localhost
#  identifier:
#    kind: io.l5d.header
#    header: l5d-dst-client

namers:
- kind: io.l5d.marathon
  prefix: /io.l5d.marathon
  host: marathon.mesos
  port: 8080
  useHealthCheck: true
- kind: io.l5d.fs
  rootDir: ./fs

so in the fs namer I have two address of an AWS ALB transforming port 8000 to 3124. That’s the port of the external-ssl linkerd. The config is the same instead of the fs-namer part. I’m dreaming that somehow, service A would use linkerd as proxy to reach this AWS ALB, then linkerd-external-ssl on the other side, then again Linkerd-internal-ssl as proxy and of course service B. But it seems to break in the middle. Maybe because of the ALB or the delegation logic or a badly configured fs-namer. But I can’t find nothing on the wen that indicates that this even possible.

Any ideas?
Merry Christmas

Hi @jacobgo, merry Christmas!

It sounds like there are a few things going on here so it will be easier to isolate the problem if you can break it into simpler parts.

Does it work without TLS? Does it work without the ALB in the middle? The more that you can isolate the problem, the easier it will be for us to help.