Re: HTTPS certificate change

There are a number of different HTTPS certificates in OpenShift. I'm supposing you're talking about the one served by the haproxy for actual end-user services hosted on OpenShift?

'Route' objects in OpenShift can specify their own TLS certs, overriding the default specifically for the route in question. See [1] as a starting point.

The default TLS cert presented by haproxy can be set using oadm router --default-cert. There's a bit of information at [2] as a starting point.

It's also worth noting that some browsers don't react very well to the TLS cert changing under their feet, and they don't always report what's going on correctly until a restart. The following command can be useful in seeing what's going on:

$ openssl s_client -connect <haproxy_ip>:443 -servername <route_name_you're_testing> </dev/null | openssl x509 -noout -text

[1] https://docs.openshift.org/latest/architecture/core_concepts/routes.html#secured-routes [2] https://docs.openshift.org/latest/install_config/router/default_haproxy_router.html#using-wildcard-certificates



Jim Minter
Principal Software Engineer, Red Hat UK

On 13/10/16 20:32, Miloslav Vlach wrote:
I would like to change https certificate. I modified the routes and the
certificate served is not changed. Know somebody why ? The certificates
are correctly written to the router pod. I don’t understand

  bind <> ssl no-sslv3 crt
/etc/pki/tls/private/tls.crt crt /var/lib/haproxy/router/certs accept-proxy

In the directory certs there are many PEM certificates. But the server
returns the /etc/pki/tls/private/tls.crt

I have question:

1. how correctly change the certificate for all routes
2. why didn’t works this solutions for the specific route

Is there any way how to deploy/update new router (oadm router) without
deleting them ?

