[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: HTTPS certificate change



Hi Jim,

thanks for reply. I have made some investigation how it works and I have an idea.

We have problem with certification authority and we bought the new wildcard certificate. 
I tried to change the certificate in the secured route but nothing happen. I dive into router 
pod and I found this row

bind 127.0.0.1:10444 <http://127.0.0.1:10444> ssl no-sslv3 crt /etc/pki/tls/private/tls.crt crt /var/lib/haproxy/router/certs accept-proxy 

In the /etc/pki/tls/private/tls.crt is the wildcard certificate for the domain rohlik.cz and in the directory /var/lib/haproxy/router/certs  there 
are three certificates. Two are the same as the default certificate and the last is the “new” certificate (wildcard certificate too).
In HAproxy documentation is written that certificates are picked in aplhabetical order. 


If a directory name is used instead of a PEM file, then all files found in
that directory will be loaded in alphabetic order unless their name ends with
'.issuer' or '.ocsp' (reserved extensions). This directive may be specified
multiple times in order to load certificates from multiple files or
directories. The certificates will be presented to clients who provide a valid
TLS Server Name Indication field matching one of their CN or alt subjects.
Wildcards are supported, where a wildcard character '*' is used instead of the
first hostname component (eg: *.example.org matches www.example.org but not
www.sub.example.org).
When I delete environment settings from the 
dc/router (the default certificate) and delete the other 2 certificates all starts working. Why ? Because the is only one certificate which matches and the 
HAproxy picked up the correct.

In the openshift documentation there is no information how to change certificate. I can deploy new router with changed —default-certificate - 
but - how can I correctly delete the old router ? I i tried this 

oc delete dc/router svc/router  rolebinding/router-router-role serviceaccounts/router secret/router-certs

deploymentconfig "router" deleted

service "router" deleted

serviceaccount "router" deleted

secret "router-certs" deleted

Error from server: rolebinding "router-router-role" not found 

and creating is erroneous too

oadm router --default-cert=cert.new.pem 

info: password for stats user admin has been set to AaTk1rxtyh

--> Creating router router ...

    secret "router-certs" created

    serviceaccount "router" created

    error: rolebinding "router-router-role" already exists

    deploymentconfig "router" created

    service "router" created

--> Failed



How can I correctly delete the role binding and deploy the router correctly?

Thanks Mila

Dne 14. října 2016 v 10:13:28, Jim Minter (jminter redhat com) napsal/a:

Hi Mila,

There are a number of different HTTPS certificates in OpenShift. I'm
supposing you're talking about the one served by the haproxy for actual
end-user services hosted on OpenShift?

'Route' objects in OpenShift can specify their own TLS certs, overriding
the default specifically for the route in question. See [1] as a
starting point.

The default TLS cert presented by haproxy can be set using oadm router
--default-cert. There's a bit of information at [2] as a starting point.

It's also worth noting that some browsers don't react very well to the
TLS cert changing under their feet, and they don't always report what's
going on correctly until a restart. The following command can be useful
in seeing what's going on:

$ openssl s_client -connect <haproxy_ip>:443 -servername
<route_name_you're_testing> </dev/null | openssl x509 -noout -text

[1]
https://docs.openshift.org/latest/architecture/core_concepts/routes.html#secured-routes
[2]
https://docs.openshift.org/latest/install_config/router/default_haproxy_router.html#using-wildcard-certificates

Cheers,

Jim

--
Jim Minter
Principal Software Engineer, Red Hat UK

On 13/10/16 20:32, Miloslav Vlach wrote:
> Hi all,
>
> I would like to change https certificate. I modified the routes and the
> certificate served is not changed. Know somebody why ? The certificates
> are correctly written to the router pod. I don’t understand
>
> bind 127.0.0.1:10444 <http://127.0.0.1:10444> ssl no-sslv3 crt
> /etc/pki/tls/private/tls.crt crt /var/lib/haproxy/router/certs accept-proxy
>
>
> In the directory certs there are many PEM certificates. But the server
> returns the /etc/pki/tls/private/tls.crt
>
> I have question:
>
> 1. how correctly change the certificate for all routes
> 2. why didn’t works this solutions for the specific route
>
> Is there any way how to deploy/update new router (oadm router) without
> deleting them ?
>
> Thanks Mila
>
>
>
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]