[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Trouble accessing docker image of openshift



The console is served on whatever you provide as "--public-master" to
the docker run command.

I don't think we've seen this particular one yet - we definitely
tightened our accepted ciphers list to pull the insecure ones out, but
please open an issue and we'll track it down.

On Tue, Feb 16, 2016 at 9:18 AM, Marc Boorshtein <mboorshtein gmail com> wrote:
> All,
>
> I tried downloading and setting up openshift on docker
> docker-engine-1.10.1-1 on centos7.  I used the following command to get up
> and running:
>
> docker run -d --name "origin"         --privileged --pid=host --net=bridge
> -p 8443:8443         -v /:/rootfs:ro -v /var/run:/var/run:rw -v /sys:/sys -v
> /var/lib/docker:/var/lib/docker:rw         -v
> /var/lib/origin/openshift.local.volumes:/var/lib/origin/openshift.local.volumes
> -h openshift.xxx.lan    openshift/origin start
>
> When I try to go to the console on 8443 I get redirected to a 172 address
> and firefox complains that the SSL connection is broken:
>
> Secure Connection Failed
>
> An error occurred during a connection to openshift.xxxx.lan:8443. security
> library: improperly formatted DER-encoded message. (Error code:
> sec_error_bad_der)
>
>     The page you are trying to view cannot be shown because the authenticity
> of the received data could not be verified.
>     Please contact the website owners to inform them of this problem.
>
> but when I check the connection I get the following:
> [root openshift ~]# openssl s_client -connect 'openshift.tremolo.lan:8443'
> CONNECTED(00000003)
> depth=1 CN = openshift-signer 1455630818
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
>  0 s:/CN=127.0.0.1
>    i:/CN=openshift-signer 1455630818
>  1 s:/CN=openshift-signer 1455630818
>    i:/CN=openshift-signer 1455630818
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIID8TCCAtugAwIBAgIBBjALBgkqhkiG9w0BAQswJjEkMCIGA1UEAwwbb3BlbnNo
> aWZ0LXNpZ25lckAxNDU1NjMwODE4MB4XDTE2MDIxNjEzNTM0MloXDTE4MDIxNTEz
> NTM0M1owFDESMBAGA1UEAxMJMTI3LjAuMC4xMIIBIjANBgkqhkiG9w0BAQEFAAOC
> AQ8AMIIBCgKCAQEA8NVlc/xYxrdo6ucYHoCtKvAjTxyCfdsAPGBm/VHbFQ+qLEIn
> 6zk9eIKQ8kIHbm7xYFLFsvgBcmZwg6vf3NJoovaQREGqUo43Kuv2yk1NBVK5t3c9
> bA4fmNJFCjy31JsoSyYm/ndsVatF0y5K8YlFzgyFyMoOuWGuMTiAZAKqHW307/QM
> IHkmMBt6++tO04F2f9T2Z9h/V677iJ9QC7YiGF+KL9hM7F4S/dwQWiwPso4gMaQF
> QdvXv9OZoRQ6/0YY/UnLJFoF/hfLt4oODu0GSMK9BAuS/67aJilexcSDXXGeSuIh
> OgN79UAW70bbd+OR8AqxU3EjiE8P9LMb87EpwwIDAQABo4IBPjCCATowDgYDVR0P
> AQH/BAQDAgCgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwggED
> BgNVHREEgfswgfiCCmt1YmVybmV0ZXOCEmt1YmVybmV0ZXMuZGVmYXVsdIIWa3Vi
> ZXJuZXRlcy5kZWZhdWx0LnN2Y4Ika3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVz
> dGVyLmxvY2Fsgglsb2NhbGhvc3SCCW9wZW5zaGlmdIIRb3BlbnNoaWZ0LmRlZmF1
> bHSCFW9wZW5zaGlmdC5kZWZhdWx0LnN2Y4Ijb3BlbnNoaWZ0LmRlZmF1bHQuc3Zj
> LmNsdXN0ZXIubG9jYWyCCTEyNy4wLjAuMYIKMTcyLjE3LjAuMoIKMTcyLjMwLjAu
> MYcEfwAAAYcErBEAAocErB4AATALBgkqhkiG9w0BAQsDggEBAAgxc6TRaCcT5jBP
> Mj6K3CUkhN8S/3Us0gHIQ0ZYIvpzfi+HH9vUggS44E3I9OI2TN5pTZ0vDSbLMEva
> VfvlZHsi4qlA/72rP50Gw+GMooofc8FHo08AXM2Lf/jE8/w88F4kXLZqVvnsQ/N4
> bxSDg+0tydEAVoBopcvIyUj7QGFT7MT7icHe2ql6vnoXwZzeTLEKoNSk/NXlbLs8
> IDW9bAa941SBYoVwyXsL5e4y7xqI4fKMX/gbF2FjAIwxa9PfeZKZ4bFNKY0b4LAr
> Jl3NXbpbzmYlGqJwCBjY5JdOmXpjvkUv7ynYuV/ov65zz9RCfDp4CYDiZG80cgdj
> Z1EmREE=
> -----END CERTIFICATE-----
> subject=/CN=127.0.0.1
> issuer=/CN=openshift-signer 1455630818
> ---
> Acceptable client certificate CA names
> /CN=openshift-signer 1455630818
> Server Temp Key: ECDH, prime256v1, 256 bits
> ---
> SSL handshake has read 2414 bytes and written 385 bytes
> ---
> New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-RSA-AES128-GCM-SHA256
>     Session-ID:
> 0F1D94EB43646490A6FAFE006BEC3149C48B8A11ACA71CD7B04FD6FA9EAFA0CC
>     Session-ID-ctx:
>     Master-Key:
> 3885305A1D2D8CCFB59A8C535ED0FD23388E774B6262EEF848A5E6B916C2471D1171A87A07AAF7D981916E2F57DDB8A1
>     Key-Arg   : None
>     Krb5 Principal: None
>     PSK identity: None
>     PSK identity hint: None
>     TLS session ticket:
>     0000 - f9 2d fc 2d 20 77 06 2a-eb 9d 85 e1 ea 9f 3a 82   .-.-
> w.*......:.
>     0010 - a1 c4 b2 10 89 ee 94 33-31 62 fe f4 44 3f e1 16
> .......31b..D?..
>     0020 - 4d af 2a 01 b6 f6 d2 62-b7 c2 a6 6c 75 d1 c3 a2
> M.*....b...lu...
>     0030 - 90 89 2f 22 eb 02 71 08-38 3b aa 7e ee 0f 39 ee
> ../"..q.8;.~..9.
>     0040 - 52 2e f2 1f 47 63 56 a8-65 79 01 7a ab 0d f7 de
> R...GcV.ey.z....
>     0050 - 13 b0 6c 49 58 23 46 dc-ec 00 9a 3c 95 3d 87 6c
> ..lIX#F....<.=.l
>     0060 - b2 da de d4 25 e6 94 87-                          ....%...
>
>     Start Time: 1455632113
>     Timeout   : 300 (sec)
>     Verify return code: 19 (self signed certificate in certificate chain)
> ---
>
> A couple of questions:
> 1.  Is there an environment variable I can set that lets me set the host
> name openshift console redirects to? (so i don't get redirected to an IP)
> 2.  Has anyone run into this issue with firefox?  Google seems to think its
> because firefox doesn't support the cipher.
>
> Any help would be greatly appreciated.
>
> Thanks
> Marc
>
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]