[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Using self-signed certificate for webconsole



Hi Everyone,
Running OKD 3.11,  installed with ansible. I just need to use a custom self-signed certificate for the web console, and for some reason,  I am not sure how to make the nodes trust this certificate too.
I have changed the servingInfo section in /etc/origin/master/master-config.yaml as per the following ( with italic only the added lines ):

servingInfo:
  bindAddress: 0.0.0.0:8443
  bindNetwork: tcp4
  certFile: master.server.crt
  clientCA: ca.crt
  keyFile: master.server.key
  maxRequestsInFlight: 500
  requestTimeoutSeconds: 3600
  namedCertificates:
    - certFile: domain.cert
      keyFile: domain.key
      names:
        - "lb.domain.internal"
The certificate is generated and self signed for *.domain.internal.

The problem is, that now the nodes do not trust this ceritificate:
journalctl -fu origin-node
Apr 12 10:01:04 os-compute-2.domain.internal origin-node[3602]: E0412 10:01:04.292369    3602 reflector.go:136] k8s.io/kubernetes/pkg/kubelet/config/apiserver.go:47: Failed to list *v1.Pod: Get https://lb.domain.internal:8443/api/v1/pods?fieldSelector=spec.nodeName%3Dos-compute-2.domain.internal&limit=500&resourceVersion=0: x509: certificate signed by unknown authority
Could anyone please advice me how to solve this ?
I would avoid regenerating all the certificates using the playbooks,  I would rather prefer doing it manually if possible.
Thank you very much !

Leo




--
Best regards, Leo David

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]