[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Metrics : certificate is valid for [hostname] not hawkular-metrics



----- Original Message -----
> From: "Philippe Lafoucrière" <philippe lafoucriere tech-angels com>
> To: "users" <users lists openshift redhat com>
> Sent: Friday, January 8, 2016 9:38:47 AM
> Subject: Metrics : certificate is valid for [hostname] not hawkular-metrics
> 
> Hi,
> 
> I'm trying to install a certificate for hawkular metrics, following the doc:
> https://docs.openshift.org/latest/install_config/cluster_metrics.html
> 
> Everything works fine if I don't use a custom certificate (except hawkular is
> using a self signed certificate).
> 
> I have created the secret with :
> 
> oc secrets new metrics-deployer hawkular-metrics.pem=mycert.pem
> hawkular-metrics-ca.cert=ca.pem
> 
> But heapster doesn't start, with the error:
> 
> F0108 14:23:55.810841 1 heapster.go:67] Get
> https://hawkular-metrics:443/hawkular/metrics/metrics?type=gauge : x509:
> certificate is valid for [redacted], not hawkular-metrics
> 
> apparently, the hostname is invalid:
> 
> I0108 14:23:55.797628 1 driver.go:491] Initialised Hawkular Sink with
> parameters {_system
> https://hawkular-metrics:443?tenant=_system&labelToTenant=pod_namespace&caCert=/hawkular-cert/hawkular-metrics-ca.certificate&user=hawkular&pass=pXvJXlJF3DwuHks&filter=label(container_name
> :^/system.slice.*|^/user.slice) 0xc20817ac60 }
> 
> ( https://hawkular-metrics:443 )
> 
> Is there a bug, or am I doing something wrong?

Heapster communicates with the Hawkular Metrics instance using the internal 'hawkular-metrics' hostname from the OpenShift service name dns resolution.

Currently there are two options:

- make sure your certificate is also valid for the 'hawkular-metrics' hostname

or 

- update the Heapster RC to point to the external hostname instead of the internal one.

oc edit rc heapster

And change the line 
--sink=hawkular:https://hawkular-metrics:443?tenant=_system&labelToTenant=pod_namespace...
to
--sink=hawkular:https://MY_CUSTOM_HOSTNAME?tenant=_system&labelToTenant=pod_namespace...


Note having to do either of these is not ideal, we are working to fix this situation so that it will just work in the future without having to do any manual steps.

> 
> Thanks,
> Philippe
> 
> --
> Philippe Lafoucrière - CEO
> http://www.tech-angels.com
> https://gemnasium.com
> main : +33 (0) 970 444 643
> mobile CA: +1 (581) 986-7540
> mobile FR: +33 (0) 6 72 63 75 40
> 
> 
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
> 


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]