[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: HTTPS certificate change

Hi Mila,


oc delete clusterrolebinding/router-router-role

instead of

oc delete rolebinding/router-router-role



Jim Minter
Principal Software Engineer, Red Hat UK

On 14/10/16 09:27, Miloslav Vlach wrote:
Hi Jim,

thanks for reply. I have made some investigation how it works and I have
an idea.

We have problem with certification authority and we bought the new
wildcard certificate.
I tried to change the certificate in the secured route but nothing
happen. I dive into router
pod and I found this row

bind <> <>
ssl no-sslv3 crt /etc/pki/tls/private/tls.crt crt
/var/lib/haproxy/router/certs accept-proxy

In the /etc/pki/tls/private/tls.crt is the wildcard certificate for the
domain rohlik.cz <http://rohlik.cz> and in the directory
/var/lib/haproxy/router/certs  there
are three certificates. Two are the same as the default certificate and
the last is the “new” certificate (wildcard certificate too).
In HAproxy documentation is written that certificates are picked in
aplhabetical order.

If a directory name is used instead of a PEM file, then all files found in
that directory will be loaded in alphabetic order unless their name ends with
'.issuer' or '.ocsp' (reserved extensions). This directive may be specified
multiple times in order to load certificates from multiple files or
directories. The certificates will be presented to clients who provide a valid
TLS Server Name Indication field matching one of their CN or alt subjects.
Wildcards are supported, where a wildcard character '*' is used instead of the
first hostname component (eg: *.example.org <http://example.org> matches www.example.org <http://www.example.org> but not
www.sub.example.org <http://www.sub.example.org>).

When I delete environment settings from the
dc/router (the default certificate) and delete the other 2 certificates
all starts working. Why ? Because the is only one certificate which
matches and the
HAproxy picked up the correct.

In the openshift documentation there is no information how to change
certificate. I can deploy new router with changed —default-certificate -
but - how can I correctly delete the old router ? I i tried this

oc delete dc/router svc/router  rolebinding/router-router-role
serviceaccounts/router secret/router-certs

deploymentconfig "router" deleted

service "router" deleted

serviceaccount "router" deleted

secret "router-certs" deleted

Error from server: rolebinding "router-router-role" not found

and creating is erroneous too

oadm router --default-cert=cert.new.pem

info: password for stats user admin has been set to AaTk1rxtyh

--> Creating router router ...

    secret "router-certs" created

    serviceaccount "router" created

    error: rolebinding "router-router-role" already exists

    deploymentconfig "router" created

    service "router" created

--> Failed

How can I correctly delete the role binding and deploy the router correctly?

Thanks Mila

Dne 14. října 2016 v 10:13:28, Jim Minter (jminter redhat com
<mailto:jminter redhat com>) napsal/a:

Hi Mila,

There are a number of different HTTPS certificates in OpenShift. I'm
supposing you're talking about the one served by the haproxy for actual
end-user services hosted on OpenShift?

'Route' objects in OpenShift can specify their own TLS certs, overriding
the default specifically for the route in question. See [1] as a
starting point.

The default TLS cert presented by haproxy can be set using oadm router
--default-cert. There's a bit of information at [2] as a starting point.

It's also worth noting that some browsers don't react very well to the
TLS cert changing under their feet, and they don't always report what's
going on correctly until a restart. The following command can be useful
in seeing what's going on:

$ openssl s_client -connect <haproxy_ip>:443 -servername
<route_name_you're_testing> </dev/null | openssl x509 -noout -text





Jim Minter
Principal Software Engineer, Red Hat UK

On 13/10/16 20:32, Miloslav Vlach wrote:
> Hi all,
> I would like to change https certificate. I modified the routes and the
> certificate served is not changed. Know somebody why ? The certificates
> are correctly written to the router pod. I don’t understand
>   bind <> <> ssl
no-sslv3 crt
> /etc/pki/tls/private/tls.crt crt /var/lib/haproxy/router/certs accept-proxy
> In the directory certs there are many PEM certificates. But the server
> returns the /etc/pki/tls/private/tls.crt
> I have question:
> 1. how correctly change the certificate for all routes
> 2. why didn’t works this solutions for the specific route
> Is there any way how to deploy/update new router (oadm router) without
> deleting them ?
> Thanks Mila
> _______________________________________________
> users mailing list
> users lists openshift redhat com
<mailto:users lists openshift redhat com>
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]