[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Using self-signed certificate for webconsole



Hi,

I haven't tried messing with that but the reason is that console is
served from apiserver.

But depending on what you are trying to achive, you can wrap the
console (and apiserver) with a Route and get free http certificates 
from Let's Encrypt like this:

https://github.com/tnozicka/openshift-acme/issues/67#issuecomment-475314223
https://github.com/tnozicka/openshift-acme#screencast

Sure, if your router fails, for recovery, admin needs to use the
unwrapped apiserver endpoint but an admin can easily setup that CA as
trusted or ssh into the machine.

Regards,
Tomas


On Fri, 2019-04-12 at 13:13 +0300, Leo David wrote:
> Hi Everyone,
> Running OKD 3.11,  installed with ansible. I just need to use a
> custom self-signed certificate for the web console, and for some
> reason,  I am not sure how to make the nodes trust this certificate
> too.
> I have changed the servingInfo section in /etc/origin/master/master-
> config.yaml as per the following ( with italic only the added lines
> ):
> 
> servingInfo:
>   bindAddress: 0.0.0.0:8443
>   bindNetwork: tcp4
>   certFile: master.server.crt
>   clientCA: ca.crt
>   keyFile: master.server.key
>   maxRequestsInFlight: 500
>   requestTimeoutSeconds: 3600
>   namedCertificates:
>     - certFile: domain.cert
>       keyFile: domain.key
>       names:
>         - "lb.domain.internal"
> The certificate is generated and self signed for *.domain.internal.
> 
> The problem is, that now the nodes do not trust this ceritificate:
> journalctl -fu origin-node
> Apr 12 10:01:04 os-compute-2.domain.internal origin-node[3602]: E0412
> 10:01:04.292369    3602 reflector.go:136]
> k8s.io/kubernetes/pkg/kubelet/config/apiserver.go:47: Failed to list
> *v1.Pod: Get 
> https://lb.domain.internal:8443/api/v1/pods?fieldSelector=spec.nodeName%3Dos-compute-2.domain.internal&limit=500&resourceVersion=0
> : x509: certificate signed by unknown authority
> Could anyone please advice me how to solve this ?
> I would avoid regenerating all the certificates using the playbooks, 
> I would rather prefer doing it manually if possible.
> Thank you very much !
> 
> Leo
> 
> 
> 
> 
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]