[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: web interface certificate ignored



On Tue, Mar 26, 2019, at 11:49 AM, Harald Dunkel wrote:
> Hi folks,
> 
> I am running okd 3.11 on Centos 7.6. The inventory file registers
> 2 certificate chains (based upon a common, private CA), as described on
> https://docs.openshift.com/container-platform/3.11/install_config/certificate_customization.html
> 
> :
> openshift_master_overwrite_named_certificates=true
> openshift_master_named_certificates=[{"certfile": 
> "/work/okd01/ssl/okd01.cert.pem", "keyfile": 
> "/work/okd01/ssl/okd01.key.pem", "names": ["okd01.example.com"], 
> "cafile": "/work/okd01/ssl/ca.cert.pem" }]
> openshift_hosted_router_certificate={"certfile": 
> "/work/okd01/ssl/star.okd01.cert.pem", "keyfile": 
> "/work/okd01/ssl/okd01.key.pem", "cafile": 
> "/work/okd01/ssl/ca.cert.pem" }
> :
> 

Here's what worked for me:

# Custom Certs: https://blog.openshift.com/lets-encrypt-acme-v2-api/
openshift_master_overwrite_named_certificates=true
openshift_master_named_certificates=[{"certfile": "{{ inventory_dir }}/certs/archive/master.example.com/fullchain1.pem", "keyfile": "{{ inventory_dir }}/certs/archive/master.example.com/privkey1.pem", "names": ["master.example.com"], "cafile": "{{ inventory_dir }}/certs/archive/master.example.com/fullchain1.pem"}]
openshift_hosted_router_certificate={"certfile": "{{ inventory_dir }}/certs/archive/master.example.com/fullchain1.pem", "keyfile": "{{ inventory_dir }}/certs/archive/master.example.com/privkey1.pem", "cafile": "{{ inventory_dir }}/certs/archive/master.example.com/fullchain1.pem"}


I may have had to re-deploy OpenShift to make it take full effect, but I think it worked mostly fine with the redeploy-certificates.yml playbook.

I don't know if it's supported to have the console/api domain as a subdomain of router wildcard domain?


V/r,
James Cassell



> Problem is: I see all certificates in /etc/origin/master and
> especially /etc/origin/master/named_certificates, but apparently
> the web interface doesn't use it. openssl tells me:
> 
> % openssl s_client -connect okd01.example.com:8443
> depth=1 CN = openshift-signer 1553169466
> verify error:num=19:self signed certificate in certificate chain
> CONNECTED(00000003)
> ---
> Certificate chain
>   0 s:/CN=172.19.96.96
>     i:/CN=openshift-signer 1553169466
>   1 s:/CN=openshift-signer 1553169466
>     i:/CN=openshift-signer 1553169466
> ---
> :
> :
> 
> Please note the self signed certificates. For the cluster console
> I see the expected certificates instead:
> 
> % openssl s_client -connect console.okd01.example.com:443
> depth=2 C = DE, O = example AG, OU = example Certificate Authority, CN = root-CA
> verify return:1
> depth=1 C = DE, O = example AG, OU = example Certificate Authority, CN = tls-CA
> verify return:1
> depth=0 C = DE, O = example AG, CN = *.okd01.example.com
> verify return:1
> CONNECTED(00000003)
> ---
> Certificate chain
>   0 s:/C=DE/O=example AG/CN=*.okd01.example.com
>     i:/C=DE/O=example AG/OU=example Certificate Authority/CN=tls-CA
>   1 s:/C=DE/O=example AG/OU=example Certificate Authority/CN=tls-CA
>     i:/C=DE/O=example AG/OU=example Certificate Authority/CN=root-CA
>   2 s:/C=DE/O=example AG/OU=example Certificate Authority/CN=root-CA
>     i:/C=DE/O=example AG/OU=example Certificate Authority/CN=root-CA
> ---
> Server certificate
> :
> :
> 
> How comes my named certificates have been lost/ignored? Are there
> additional steps required I was too blind to see?
> 
> 
> Every helpful comment is highly appreciated
> Harri
> 
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]