[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OpenShift v3 now running in HTTPS mode by default





> On Jan 22, 2015, at 9:45 AM, Dan Mace <dmace redhat com> wrote:
> 
> ----- Original Message -----
>> From: "Jordan Liggitt" <jliggitt redhat com>
>> To: "Dan Mace" <dmace redhat com>, "Clayton Coleman" <ccoleman redhat com>
>> Cc: "[PUBLIC] Openshift Dev" <dev lists openshift redhat com>
>> Sent: Thursday, January 22, 2015 9:44:17 AM
>> Subject: Re: OpenShift v3 now running in HTTPS mode by default
>> 
>> Add "https://"; to your curl request urls?
> 
> 
> LOL. That was it. Thanks.

You're not alone - that was 15 minutes last night for me.

> 
> 
>>> On 01/22/2015 09:42 AM, Dan Mace wrote:
>>> I have yet to get the HTTPS enabled server working with either curl or
>>> httpie using our origin vagrant VM. Some example errors:
>>> 
>>> $ curl --cacert ./openshift.local.certificates/master/root.crt -X POST -d
>>> @hello-deployment.json localhost:8443/osapi/v1beta1/deploymentConfigs
>>> 
>>> 2015/01/22 09:39:33 http: TLS handshake error from [::1]:41917: tls:
>>> oversized record received with length 21536
>>> 
>>> $ http --verify=openshift.local.certificates/master/root.crt
>>> localhost:8443/osapi/v1beta1/deploymentConfigs < hello-deployment.json
>>> 
>>> 2015/01/22 09:39:38 http: TLS handshake error from [::1]:41918: tls:
>>> oversized record received with length 21536
>>> 
>>> $ openssl s_client -connect localhost:8443 -cipher RC4-SHA -tls1
>>> 
>>> CONNECTED(00000003)
>>> depth=1 CN = 10 0 2 15 1421878442
>>> verify error:num=19:self signed certificate in certificate chain
>>> verify return:0
>>> ---
>>> Certificate chain
>>> 0 s:/CN=10.0.2.15
>>>   i:/CN=10 0 2 15 1421878442
>>> 1 s:/CN=10 0 2 15 1421878442
>>>   i:/CN=10 0 2 15 1421878442
>>> ---
>>> -----BEGIN CERTIFICATE-----
>>> <snip>
>>> -----END CERTIFICATE-----
>>> subject=/CN=10.0.2.15
>>> issuer=/CN=10 0 2 15 1421878442
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 1812 bytes and written 389 bytes
>>> ---
>>> New, TLSv1/SSLv3, Cipher is RC4-SHA
>>> Server public key is 2048 bit
>>> Secure Renegotiation IS supported
>>> Compression: NONE
>>> Expansion: NONE
>>> SSL-Session:
>>>    Protocol  : TLSv1
>>>    Cipher    : RC4-SHA
>>>    Session-ID:
>>>    3AD45DE66C0987AAA84B7E1E9D653163389756474AED7307C81E5BBF82A704CF
>>>    Session-ID-ctx:
>>>    Master-Key:
>>>    46B924FE4FE33E7BC9F9E32D52BCD540610DE9624CC0011E7AEF1C49E256E9DF3CCBE67BF62BA015298949A0DF578F00
>>>    Key-Arg   : None
>>>    Krb5 Principal: None
>>>    PSK identity: None
>>>    PSK identity hint: None
>>>    TLS session ticket:
>>> 
>>> <snip>
>>> Start Time: 1421937519
>>>    Timeout   : 7200 (sec)
>>>    Verify return code: 19 (self signed certificate in certificate chain)
>>> 
>>> 
>>> Any clue what I'm doing wrong?
>>> 
>>> 
>>> ----- Original Message -----
>>>> From: "Clayton Coleman" <ccoleman redhat com>
>>>> To: "Jordan Liggitt" <jliggitt redhat com>
>>>> Cc: "[PUBLIC] Openshift Dev" <dev lists openshift redhat com>
>>>> Sent: Thursday, January 22, 2015 9:31:53 AM
>>>> Subject: Re: OpenShift v3 now running in HTTPS mode by default
>>>> 
>>>> We should probably default the protocol on master to listen. The original
>>>> goal was for people not to specify master - instead, to give just enough
>>>> info to make the right decisions. I've noticed people starting to hardcode
>>>> those, but we should make the function more intuitive.
>>>> 
>>>> --listen= http://:0.0.0.0:8080 should be all most people need
>>>> 
>>>> 
>>>> On Jan 22, 2015, at 9:26 AM, Jordan Liggitt < jliggitt redhat com > wrote:
>>>> 
>>>> 
>>>> 
>>>> 
>>>> On 01/21/2015 01:52 PM, Jordan Liggitt wrote:
>>>> 
>>>> 
>>>> How do I go back to HTTP?
>>>> Why would you even ask that? You're making the EFF cry :-(
>>>> 
>>>> If you really need to, you can do the following to get the old default
>>>> behaviour back:
>>>> 
>>>> openshift start: pass "--master= http://:8080 "
>>>> osc: pass "--server= http://localhost:8080 "
>>>> 
>>>> 
>>>> Follow-up: To run in http, you'll also need to pass "--listen=
>>>> http://0.0.0.0:8080 " to openshift start
>>>> 
>>>> --master controls what address things should contact the API server on,
>>>> and
>>>> defaults to https:// <detected IP>:8443
>>>> 
>>>> --listen controls what the API server actually binds to on startup, and
>>>> defaults to https://0.0.0.0:8443
>>>> 
>>>> 
>>>> If you change the scheme or port using --master, you also need to specify
>>>> --listen to match. So to get back to a completely unsecured state:
>>>> 
>>>> openshift start --master= http://:8080 --listen= http://0.0.0.0:8080
>>>> 
>>>> osc --server= http://localhost:8080
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> dev mailing list
>>>> dev lists openshift redhat com
>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>>>> 
>>>> _______________________________________________
>>>> dev mailing list
>>>> dev lists openshift redhat com
>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
>> 
>> 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]