[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Changing the web interface's SSL certificate.

On Mon, Nov 23, 2015 at 8:59 AM, Brenton Leanhardt <bleanhar redhat com> wrote:
On Mon, Nov 23, 2015 at 8:09 AM, Gilbert Roulot
<gilbert roulot tech-angels com> wrote:
> Dear list,
> I tried changing the certificate on our openshift master last week. I went
> through /etc/origin/master/master-config.yaml and changed this:
> - master.server.cert and key to mydomain.com.cert and key
> - occurence of an URL with our.private.domain:8443 to mydomain.com:8443
> It went badly as after a restart the cluster simply didn't work. I reverted
> the master-config.yaml back to normal but it didn't fix it. Reinstalling the
> nodes from scratch with openshift-ansible thankfully fixed everything and we
> didn't lose any of our Kube or Openshift objects.
> My question then is, how would someone go about changing the certificate for
> the web interface ? I didn't find the doc addressing this, sorry if it does
> exist.
> I played with the idea of putting an apache on port 443 as a reverse proxy
> in front of Openshift, I'll go for that if there is no way to do what I
> want.

Hi Gilbert,

Please see the latest documentation pull request for this feature here:

It's already supported if you're running the Origin 1.1 code.  If you
have any problems feel free to leave comments on that github issue or
reply here.


To be clear, what is supported is adding a custom certificate to use for specific hostnames (typically the publicMasterURL, which faces the web console and CLI), while leaving the generated certificate in place to support internal hostnames and IPs.

If you're using ansible to install, you can specify your custom certs there as well. See https://github.com/openshift/openshift-ansible/blob/master/inventory/byo/hosts.example#L114-L126

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]