I've developed a gRPC service that is deployed on a Kubernetes cluster, and I'm using grpc-web from nodejs clients to connect to it. This means I need a proxy in front of the service. Everything works perfectly with this envoy configuration without SSL, but now I need to secure the connections to get it ready for production.

Here are the steps I've gone through

1) Generated the keys, entering my domain simulation.terrarium.ai when asked using this tutorial

2) Edit the Dockerfile to add the keys

FROM envoyproxy/envoy:latest

COPY envoy-proxy-tls.yaml /etc/envoy.yaml

EXPOSE 9091

ADD ./certs/simulation.terrarium.ai.crt /etc/simulation.terrarium.ai.crt
ADD ./certs/simulation.terrarium.ai.key /etc/simulation.terrarium.ai.key
ADD ./certs/rootCA.crt /etc/rootCA.crt

WORKDIR /etc/envoy
CMD /usr/local/bin/envoy -c /etc/envoy.yaml

3) Updated the envoy config to use tls on the port

It's much easier to read this config file with highlighting so here is a gist of it.

What's Happening
I make calls to my service like this

var simService = new SimulationServiceClient(ServerAddress, null, null);

var request = new CreateSpectatorRequest();
request.setApi(API_VERSION);
request.setId(this.clientId);
var metadata = {};
var stream = simService.createSpectator(request, metadata);
stream.on("data", this.onData);
stream.on("status", this.onStatus);
stream.on("end", this.onEnd);

At this point I have my grpc service and the envoy proxy running in a kubernetes cluster, the same way I did before adding TLS. When I try to connect from my browser I get this error:

https://simulation.terrarium.ai:9091/v1.SimulationService/SubscribeSpectatorToRegion net::ERR_CERT_AUTHORITY_INVALID

I'm having a really hard time debugging this as I'm not sure exactly where the error could be occurring. Any help would be appreciated!