[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: web interface certificate ignored

Hi Harald,

I've been struggling with this issue for couple of months now.

We have OpenShift deployed on AWS, an elastic load-balancer of type NLB (network load balancer) is distributing the traffic over the three master nodes. We have a firewall doing man-in-the-middle decryption on the traffic going back and forth.

From the command line, curl works pretty much fine. But when using openssl client, it shows the internal openshift certificates. I tried the steps mentioned in this thread but none of them worked for me. We have another OpenShift 3.10 cluster that we didn't face this issue with.

The only conclusion I have is when you hit the masters at tcp layer 4, OpenShift responds with the default certificates. It's like the named_certificates section works at layer 7 and hitting lower than that, you get the default certificate.

On 4/1/19 3:13 AM, Harald Dunkel wrote:
Hi folks,

On 3/26/19 4:48 PM, Harald Dunkel wrote:

Problem is: I see all certificates in /etc/origin/master and
especially /etc/origin/master/named_certificates, but apparently
the web interface doesn't use it. openssl tells me:

% openssl s_client -connect okd01.example.com:8443
depth=1 CN = openshift-signer 1553169466
verify error:num=19:self signed certificate in certificate chain
Certificate chain
  0 s:/CN=
    i:/CN=openshift-signer 1553169466
  1 s:/CN=openshift-signer 1553169466
    i:/CN=openshift-signer 1553169466

This seems to come up only, if the web browser runs in the same subnet
as the web interface. If the browser runs in another subnet (e.g. on
my laptop connected via IPsec), then I see the expected certificate

Every helpful comment is highly appreciated

users mailing list
users lists openshift redhat com

Ahmed Ossama

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]