kubernetes - Adding Mutual TLS to Emissary-Ingress

Question

I keep getting this error when I try to access a service running in my microk8s cluster with this curl command: curl -lkv --cert cert.pem --key key.pem https://$LB_ENDPOINT/backend/

I am running this on Microk8s on Ubuntu 20.04. Helm3, Metallb, and core DNS have all been enabled as addons.

The error:

* TCP_NODELAY set
* Connected to 10.64.140.43 (10.64.140.43) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
Enter PEM pass phrase:
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Below are my configurations:

• Host:

apiVersion: getambassador.io/v3alpha1
kind: Host
metadata:
  annotations:
  name: host
  namespace: emissary
spec:
  hostname: "*"
  acmeProvider:
    authority: none
  tlsContext:
    name: tls-context
  tlsSecret:
    name: tls-cert
  selector:
    matchLabels:
      examplehost: "*"

• Listener:

apiVersion: getambassador.io/v3alpha1
kind: Listener
metadata:
  name: https-listener
  namespace: emissary
spec:
  port: 8443
  protocol: HTTPS
  securityModel: XFP
  hostBinding:
    namespace:
      from: SELF

• Mapping:

apiVersion: getambassador.io/v3alpha1
kind: Mapping
metadata:
  name: quote-backend
  namespace: emissary
spec:
  hostname: "*"
  prefix: /backend/
  service: quote
  tls: tls-context

• TLS Context:

apiVersion: getambassador.io/v3alpha1
kind: TLSContext
metadata:
  name: tls-context
  namespace: emissary
spec:
  hosts: [ "*", host ]
  secret: tls-cert
  alpn_protocols: h2
  ca_secret: client-cacert
  cert_required: true

• Service and deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: quote
  namespace: emissary
spec:
  replicas: 1
  selector:
    matchLabels:
      app: quote
  strategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: quote
    spec:
      containers:
      - name: backend
        image: docker.io/datawire/quote:0.5.0
        ports:
        - name: http
          containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
  name: quote
  namespace: emissary
spec:
  ports:
  - name: http
    port: 80
    targetPort: 8080
  - name: https
    port: 443
    protocol: TCP
    targetPort: 8443
  selector:
    app: quote

Your contribution would be much appreciated. Thanks.