[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Using self-signed certificate for webconsole

I've managed to sort it out, once I have replaced the masterPublicURL with the new dns name it worked.
Thank you !

On Fri, Apr 12, 2019, 17:17 Leo David <leoalex gmail com> wrote:
Thank you Tomas. I will try to separate urls and create a new entry for the public name, and attach the custom certificate first. This would be the most desirable case.
Not sure how to do it at the moment though, still digging :)

On Fri, Apr 12, 2019, 17:09 Tomas Nozicka <tnozicka redhat com> wrote:

I haven't tried messing with that but the reason is that console is
served from apiserver.

But depending on what you are trying to achive, you can wrap the
console (and apiserver) with a Route and get free http certificates
from Let's Encrypt like this:


Sure, if your router fails, for recovery, admin needs to use the
unwrapped apiserver endpoint but an admin can easily setup that CA as
trusted or ssh into the machine.


On Fri, 2019-04-12 at 13:13 +0300, Leo David wrote:
> Hi Everyone,
> Running OKD 3.11,  installed with ansible. I just need to use a
> custom self-signed certificate for the web console, and for some
> reason,  I am not sure how to make the nodes trust this certificate
> too.
> I have changed the servingInfo section in /etc/origin/master/master-
> config.yaml as per the following ( with italic only the added lines
> ):
> servingInfo:
>   bindAddress:
>   bindNetwork: tcp4
>   certFile: master.server.crt
>   clientCA: ca.crt
>   keyFile: master.server.key
>   maxRequestsInFlight: 500
>   requestTimeoutSeconds: 3600
>   namedCertificates:
>     - certFile: domain.cert
>       keyFile: domain.key
>       names:
>         - "lb.domain.internal"
> The certificate is generated and self signed for *.domain.internal.
> The problem is, that now the nodes do not trust this ceritificate:
> journalctl -fu origin-node
> Apr 12 10:01:04 os-compute-2.domain.internal origin-node[3602]: E0412
> 10:01:04.292369    3602 reflector.go:136]
> k8s.io/kubernetes/pkg/kubelet/config/apiserver.go:47: Failed to list
> *v1.Pod: Get
> https://lb.domain.internal:8443/api/v1/pods?fieldSelector=spec.nodeName%3Dos-compute-2.domain.internal&limit=500&resourceVersion=0
> : x509: certificate signed by unknown authority
> Could anyone please advice me how to solve this ?
> I would avoid regenerating all the certificates using the playbooks,
> I would rather prefer doing it manually if possible.
> Thank you very much !
> Leo
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]