[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: web interface certificate ignored



Hi Niklas,

lets drop "example.com" and switch to the actual host and domain
names. Inventory file and master-config.yaml are attached.

On 3/26/19 5:29 PM, Nikolas Philips wrote:
Hi Harri,
as far as I can tell your inventory config looks ok.
Is in the certificate "/work/okd01/ssl/okd01.cert.pem" the hostname/CN "okd01.example.com <http://okd01.example.com>" listed? For example '*.okd01.example.com <http://okd01.example.com>' wouldn't work. I remember having a similar issue...

The certificates are correct, AFAICT. CN is set to okd01.aixigo.de.
There is also a DNS entry in the certificate:

            X509v3 Subject Alternative Name:
                DNS:okd01.aixigo.de

Did you get any warnings while running the redeploy_certificates playbook?

I tried: The redeploy-certificates playbook got stuck for more than
60 minutes :-(.

Last message

:
:
PLAY [Restart nodes] ***************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************
ok: [okd01b.ac.aixigo.de]

TASK [Restart docker] **************************************************************************************************


AFAICS it is stuck on okd01b here:

root      48897   7406  0 09:59 ?        00:00:00  \_ sshd: root pts/1
root      49097  48897  0 09:59 pts/1    00:00:00      \_ /bin/sh -c /usr/bin/python /root/.ansible/tmp/ansible-tmp-1553677155.03-134576205842945/AnsiballZ_systemd.py && sle
root      49109  49097  0 09:59 pts/1    00:00:00          \_ /usr/bin/python /root/.ansible/tmp/ansible-tmp-1553677155.03-134576205842945/AnsiballZ_systemd.py
root      49117  49109  0 09:59 pts/1    00:00:00              \_ /usr/bin/systemctl restart docker
root      49118  49117  0 09:59 pts/1    00:00:00                  \_ /usr/bin/systemd-tty-ask-password-agent --watch
root      49119  49117  0 09:59 pts/1    00:00:00                  \_ /usr/bin/pkttyagent --notify-fd 5 --fallback

I am not sure, but shouldn't ansible run its remote scripts
without controlling terminal?

Did you check the master API logs (run from master node with 'master-logs api api') is there a hint why the certs aren't delivered?
Is in the /etc/origin/master/master-config.yaml (see namedCertificates) the correct certificate referenced?

This is what I see in master-config.yaml (attached):

:
:
serviceAccountConfig:
  limitSecretReferences: false
  managedNames:
  - default
  - builder
  - deployer
  masterCA: ca-bundle.crt
  privateKeyFile: serviceaccounts.private.key
  publicKeyFiles:
  - serviceaccounts.public.key
servingInfo:
  bindAddress: 0.0.0.0:8443
  bindNetwork: tcp4
  certFile: master.server.crt
  clientCA: ca.crt
  keyFile: master.server.key
  maxRequestsInFlight: 500
  namedCertificates:
  - certFile: /etc/origin/master/named_certificates/okd01.aixigo.de.cert.pem
    keyFile: /etc/origin/master/named_certificates/okd01.aixigo.de.key.pem
    names:
    - okd01.aixigo.de
  requestTimeoutSeconds: 3600
volumeConfig:
  dynamicProvisioningEnabled: true


Please note that the cafile for named isn't mentioned in master-config.yaml
at all.

Did you used on purpose the same key for two different certificates?


Yes. Its the same IP address, anyway. Next time I will use a common
certificate for okd01.aixigo.de and *.okd01.aixigo.de.


Regards
Harri
# Create an OSEv3 group that contains the masters, nodes, and etcd groups

[OSEv3:children]
masters
nodes
etcd

# Set variables common for all OSEv3 hosts
[OSEv3:vars]
clustername=okd01
clusterdomain=aixigo.de

# openshift_clusterid=okd01.aixigo.de
openshift_release="3.11"
openshift_deployment_type=origin

openshift_master_cluster_hostname=okd01.aixigo.de
openshift_master_cluster_public_hostname=okd01.aixigo.de
openshift_master_default_subdomain=okd01.aixigo.de

# SSH user, this user should allow ssh based auth without requiring a password
ansible_ssh_user=root

# If ansible_ssh_user is not root, ansible_become must be set to true
#ansible_become=true

openshift_master_overwrite_named_certificates=true 
openshift_master_named_certificates=[{"certfile": "/export/source/hdunkel/work/okd01/ssl/okd01.aixigo.de.cert.pem", "keyfile": "/export/source/hdunkel/work/okd01/ssl/okd01.aixigo.de.key.pem", "names": ["okd01.aixigo.de"], "cafile": "/export/source/hdunkel/work/okd01/ssl/ca.cert.pem" }]
openshift_hosted_router_certificate={"certfile": "/export/source/hdunkel/work/okd01/ssl/star.okd01.aixigo.de.cert.pem", "keyfile": "/export/source/hdunkel/work/okd01/ssl/okd01.aixigo.de.key.pem", "cafile": "/export/source/hdunkel/work/okd01/ssl/ca.cert.pem" }

# login credentials for admin accout
openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider'}]
openshift_master_htpasswd_users={'admin': '$apr1$xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', 'hdunkel': '$apr1$yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy'}
# use
#	oc create clusterrolebinding registry-controller --clusterrole=cluster-admin --user=admin
#
# to assign the "cluster-admin" role to the admin account.

# Registry Storage
openshift_hosted_registry_storage_kind=nfs
openshift_hosted_registry_storage_access_modes=['ReadWriteMany']
openshift_hosted_registry_storage_host=nasl007.ac.aixigo.de
openshift_hosted_registry_storage_nfs_directory=/space/okd01
openshift_hosted_registry_storage_volume_name=registry
openshift_hosted_registry_storage_volume_size=20Gi


# Metrics
openshift_metrics_install_metrics=true

# host group for masters
[masters]
okd01a.ac.aixigo.de

# host group for etcd
[etcd]
okd01a.ac.aixigo.de
# okd01b.ac.aixigo.de

# host group for nodes, includes region info
[nodes]
okd01a.ac.aixigo.de openshift_node_group_name='node-config-master-infra'
okd01b.ac.aixigo.de openshift_node_group_name='node-config-compute'
# node2.ac.aixigo.de openshift_node_group_name='node-config-compute'
# infra-node1.ac.aixigo.de openshift_node_group_name='node-config-infra'
# infra-node2.ac.aixigo.de openshift_node_group_name='node-config-infra'

admissionConfig:
  pluginConfig:
    BuildDefaults:
      configuration:
        apiVersion: v1
        env: []
        kind: BuildDefaultsConfig
        resources:
          limits: {}
          requests: {}
    BuildOverrides:
      configuration:
        apiVersion: v1
        kind: BuildOverridesConfig
    openshift.io/ImagePolicy:
      configuration:
        apiVersion: v1
        executionRules:
        - matchImageAnnotations:
          - key: images.openshift.io/deny-execution
            value: 'true'
          name: execution-denied
          onResources:
          - resource: pods
          - resource: builds
          reject: true
          skipOnResolutionFailure: true
        kind: ImagePolicyConfig
aggregatorConfig:
  proxyClientInfo:
    certFile: aggregator-front-proxy.crt
    keyFile: aggregator-front-proxy.key
apiLevels:
- v1
apiVersion: v1
authConfig:
  requestHeader:
    clientCA: front-proxy-ca.crt
    clientCommonNames:
    - aggregator-front-proxy
    extraHeaderPrefixes:
    - X-Remote-Extra-
    groupHeaders:
    - X-Remote-Group
    usernameHeaders:
    - X-Remote-User
controllerConfig:
  election:
    lockName: openshift-master-controllers
  serviceServingCert:
    signer:
      certFile: service-signer.crt
      keyFile: service-signer.key
controllers: '*'
corsAllowedOrigins:
- (?i)//127\.0\.0\.1(:|\z)
- (?i)//localhost(:|\z)
- (?i)//172\.19\.96\.96(:|\z)
- (?i)//kubernetes\.default(:|\z)
- (?i)//kubernetes\.default\.svc\.cluster\.local(:|\z)
- (?i)//kubernetes(:|\z)
- (?i)//openshift\.default(:|\z)
- (?i)//openshift\.default\.svc(:|\z)
- (?i)//172\.30\.0\.1(:|\z)
- (?i)//okd01\.aixigo\.de(:|\z)
- (?i)//okd01a\.ac\.aixigo\.de(:|\z)
- (?i)//openshift\.default\.svc\.cluster\.local(:|\z)
- (?i)//kubernetes\.default\.svc(:|\z)
- (?i)//openshift(:|\z)
dnsConfig:
  bindAddress: 0.0.0.0:8053
  bindNetwork: tcp4
etcdClientInfo:
  ca: master.etcd-ca.crt
  certFile: master.etcd-client.crt
  keyFile: master.etcd-client.key
  urls:
  - https://okd01a.ac.aixigo.de:2379
etcdStorageConfig:
  kubernetesStoragePrefix: kubernetes.io
  kubernetesStorageVersion: v1
  openShiftStoragePrefix: openshift.io
  openShiftStorageVersion: v1
imageConfig:
  format: docker.io/openshift/origin-${component}:${version}
  latest: false
imagePolicyConfig:
  internalRegistryHostname: docker-registry.default.svc:5000
kind: MasterConfig
kubeletClientInfo:
  ca: ca-bundle.crt
  certFile: master.kubelet-client.crt
  keyFile: master.kubelet-client.key
  port: 10250
kubernetesMasterConfig:
  apiServerArguments:
    storage-backend:
    - etcd3
    storage-media-type:
    - application/vnd.kubernetes.protobuf
  controllerArguments:
    cluster-signing-cert-file:
    - /etc/origin/master/ca.crt
    cluster-signing-key-file:
    - /etc/origin/master/ca.key
    pv-recycler-pod-template-filepath-hostpath:
    - /etc/origin/master/recycler_pod.yaml
    pv-recycler-pod-template-filepath-nfs:
    - /etc/origin/master/recycler_pod.yaml
  masterCount: 1
  masterIP: 172.19.96.96
  podEvictionTimeout: null
  proxyClientInfo:
    certFile: master.proxy-client.crt
    keyFile: master.proxy-client.key
  schedulerArguments: null
  schedulerConfigFile: /etc/origin/master/scheduler.json
  servicesNodePortRange: ''
  servicesSubnet: 172.30.0.0/16
  staticNodeNames: []
masterClients:
  externalKubernetesClientConnectionOverrides:
    acceptContentTypes: application/vnd.kubernetes.protobuf,application/json
    burst: 400
    contentType: application/vnd.kubernetes.protobuf
    qps: 200
  externalKubernetesKubeConfig: ''
  openshiftLoopbackClientConnectionOverrides:
    acceptContentTypes: application/vnd.kubernetes.protobuf,application/json
    burst: 600
    contentType: application/vnd.kubernetes.protobuf
    qps: 300
  openshiftLoopbackKubeConfig: openshift-master.kubeconfig
masterPublicURL: https://okd01.aixigo.de:8443
networkConfig:
  clusterNetworks:
  - cidr: 10.128.0.0/14
    hostSubnetLength: 9
  externalIPNetworkCIDRs:
  - 0.0.0.0/0
  networkPluginName: redhat/openshift-ovs-subnet
  serviceNetworkCIDR: 172.30.0.0/16
oauthConfig:
  assetPublicURL: https://okd01.aixigo.de:8443/console/
  grantConfig:
    method: auto
  identityProviders:
  - challenge: true
    login: true
    mappingMethod: claim
    name: htpasswd_auth
    provider:
      apiVersion: v1
      file: /etc/origin/master/htpasswd
      kind: HTPasswdPasswordIdentityProvider
  masterCA: ca-bundle.crt
  masterPublicURL: https://okd01.aixigo.de:8443
  masterURL: https://okd01.aixigo.de:8443
  sessionConfig:
    sessionMaxAgeSeconds: 3600
    sessionName: ssn
    sessionSecretsFile: /etc/origin/master/session-secrets.yaml
  tokenConfig:
    accessTokenMaxAgeSeconds: 86400
    authorizeTokenMaxAgeSeconds: 500
pauseControllers: false
policyConfig:
  bootstrapPolicyFile: /etc/origin/master/policy.json
  openshiftInfrastructureNamespace: openshift-infra
  openshiftSharedResourcesNamespace: openshift
projectConfig:
  defaultNodeSelector: node-role.kubernetes.io/compute=true
  projectRequestMessage: ''
  projectRequestTemplate: ''
  securityAllocator:
    mcsAllocatorRange: s0:/2
    mcsLabelsPerProject: 5
    uidAllocatorRange: 1000000000-1999999999/10000
routingConfig:
  subdomain: okd01.aixigo.de
serviceAccountConfig:
  limitSecretReferences: false
  managedNames:
  - default
  - builder
  - deployer
  masterCA: ca-bundle.crt
  privateKeyFile: serviceaccounts.private.key
  publicKeyFiles:
  - serviceaccounts.public.key
servingInfo:
  bindAddress: 0.0.0.0:8443
  bindNetwork: tcp4
  certFile: master.server.crt
  clientCA: ca.crt
  keyFile: master.server.key
  maxRequestsInFlight: 500
  namedCertificates:
  - certFile: /etc/origin/master/named_certificates/okd01.aixigo.de.cert.pem
    keyFile: /etc/origin/master/named_certificates/okd01.aixigo.de.key.pem
    names:
    - okd01.aixigo.de
  requestTimeoutSeconds: 3600
volumeConfig:
  dynamicProvisioningEnabled: true

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]