[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

web interface certificate ignored



Hi folks,

I am running okd 3.11 on Centos 7.6. The inventory file registers
2 certificate chains (based upon a common, private CA), as described on
https://docs.openshift.com/container-platform/3.11/install_config/certificate_customization.html

:
openshift_master_overwrite_named_certificates=true
openshift_master_named_certificates=[{"certfile": "/work/okd01/ssl/okd01.cert.pem", "keyfile": "/work/okd01/ssl/okd01.key.pem", "names": ["okd01.example.com"], "cafile": "/work/okd01/ssl/ca.cert.pem" }]
openshift_hosted_router_certificate={"certfile": "/work/okd01/ssl/star.okd01.cert.pem", "keyfile": "/work/okd01/ssl/okd01.key.pem", "cafile": "/work/okd01/ssl/ca.cert.pem" }
:

Problem is: I see all certificates in /etc/origin/master and
especially /etc/origin/master/named_certificates, but apparently
the web interface doesn't use it. openssl tells me:

% openssl s_client -connect okd01.example.com:8443
depth=1 CN = openshift-signer 1553169466
verify error:num=19:self signed certificate in certificate chain
CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=172.19.96.96
   i:/CN=openshift-signer 1553169466
 1 s:/CN=openshift-signer 1553169466
   i:/CN=openshift-signer 1553169466
---
:
:

Please note the self signed certificates. For the cluster console
I see the expected certificates instead:

% openssl s_client -connect console.okd01.example.com:443
depth=2 C = DE, O = example AG, OU = example Certificate Authority, CN = root-CA
verify return:1
depth=1 C = DE, O = example AG, OU = example Certificate Authority, CN = tls-CA
verify return:1
depth=0 C = DE, O = example AG, CN = *.okd01.example.com
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=DE/O=example AG/CN=*.okd01.example.com
   i:/C=DE/O=example AG/OU=example Certificate Authority/CN=tls-CA
 1 s:/C=DE/O=example AG/OU=example Certificate Authority/CN=tls-CA
   i:/C=DE/O=example AG/OU=example Certificate Authority/CN=root-CA
 2 s:/C=DE/O=example AG/OU=example Certificate Authority/CN=root-CA
   i:/C=DE/O=example AG/OU=example Certificate Authority/CN=root-CA
---
Server certificate
:
:

How comes my named certificates have been lost/ignored? Are there
additional steps required I was too blind to see?


Every helpful comment is highly appreciated
Harri


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]