[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: web interface certificate ignored



Hi Harri,
as far as I can tell your inventory config looks ok. 
Is in the certificate "/work/okd01/ssl/okd01.cert.pem" the hostname/CN "okd01.example.com" listed? For example '*.okd01.example.com' wouldn't work. I remember having a similar issue... 
Did you get any warnings while running the redeploy_certificates playbook? 
Did you check the master API logs (run from master node with 'master-logs api api') is there a hint why the certs aren't delivered? 
Is in the /etc/origin/master/master-config.yaml (see namedCertificates) the correct certificate referenced? 
Did you used on purpose the same key for two different certificates?

Regards,
Nikolas

Am Di., 26. März 2019 um 17:21 Uhr schrieb James Cassell <fedoraproject cyberpear com>:
On Tue, Mar 26, 2019, at 11:49 AM, Harald Dunkel wrote:
> Hi folks,
>
> I am running okd 3.11 on Centos 7.6. The inventory file registers
> 2 certificate chains (based upon a common, private CA), as described on
> https://docs.openshift.com/container-platform/3.11/install_config/certificate_customization.html
>
> :
> openshift_master_overwrite_named_certificates=true
> openshift_master_named_certificates=[{"certfile":
> "/work/okd01/ssl/okd01.cert.pem", "keyfile":
> "/work/okd01/ssl/okd01.key.pem", "names": ["okd01.example.com"],
> "cafile": "/work/okd01/ssl/ca.cert.pem" }]
> openshift_hosted_router_certificate={"certfile":
> "/work/okd01/ssl/star.okd01.cert.pem", "keyfile":
> "/work/okd01/ssl/okd01.key.pem", "cafile":
> "/work/okd01/ssl/ca.cert.pem" }
> :
>

Here's what worked for me:

# Custom Certs: https://blog.openshift.com/lets-encrypt-acme-v2-api/
openshift_master_overwrite_named_certificates=true

openshift_master_named_certificates=[{"certfile": "{{ inventory_dir }}/certs/archive/master.example.com/fullchain1.pem", "keyfile": "{{ inventory_dir }}/certs/archive/master.example.com/privkey1.pem", "names": ["master.example.com"], "cafile": "{{ inventory_dir }}/certs/archive/master.example.com/fullchain1.pem"}]
openshift_hosted_router_certificate={"certfile": "{{ inventory_dir }}/certs/archive/master.example.com/fullchain1.pem", "keyfile": "{{ inventory_dir }}/certs/archive/master.example.com/privkey1.pem", "cafile": "{{ inventory_dir }}/certs/archive/master.example.com/fullchain1.pem"}


I may have had to re-deploy OpenShift to make it take full effect, but I think it worked mostly fine with the redeploy-certificates.yml playbook.

I don't know if it's supported to have the console/api domain as a subdomain of router wildcard domain?


V/r,
James Cassell



> Problem is: I see all certificates in /etc/origin/master and
> especially /etc/origin/master/named_certificates, but apparently
> the web interface doesn't use it. openssl tells me:
>
> % openssl s_client -connect okd01.example.com:8443
> depth=1 CN = openshift-signer 1553169466
> verify error:num=19:self signed certificate in certificate chain
> CONNECTED(00000003)
> ---
> Certificate chain
>   0 s:/CN=172.19.96.96
>     i:/CN=openshift-signer 1553169466
>   1 s:/CN=openshift-signer 1553169466
>     i:/CN=openshift-signer 1553169466
> ---
> :
> :
>
> Please note the self signed certificates. For the cluster console
> I see the expected certificates instead:
>
> % openssl s_client -connect console.okd01.example.com:443
> depth=2 C = DE, O = example AG, OU = example Certificate Authority, CN = root-CA
> verify return:1
> depth=1 C = DE, O = example AG, OU = example Certificate Authority, CN = tls-CA
> verify return:1
> depth=0 C = DE, O = example AG, CN = *.okd01.example.com
> verify return:1
> CONNECTED(00000003)
> ---
> Certificate chain
>   0 s:/C=DE/O=example AG/CN=*.okd01.example.com
>     i:/C=DE/O=example AG/OU=example Certificate Authority/CN=tls-CA
>   1 s:/C=DE/O=example AG/OU=example Certificate Authority/CN=tls-CA
>     i:/C=DE/O=example AG/OU=example Certificate Authority/CN=root-CA
>   2 s:/C=DE/O=example AG/OU=example Certificate Authority/CN=root-CA
>     i:/C=DE/O=example AG/OU=example Certificate Authority/CN=root-CA
> ---
> Server certificate
> :
> :
>
> How comes my named certificates have been lost/ignored? Are there
> additional steps required I was too blind to see?
>
>
> Every helpful comment is highly appreciated
> Harri
>
> _______________________________________________
> users mailing list
> users lists openshift redhat com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>

_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]