[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: web interface certificate ignored



Resending, as I forgot the User List as CC:

Ok, I remember that I got this warning too and it seems to be unrelated to the master API certificate. 

As James already mentioned, maybe it's a problem that you set the public, internal and subdomain var to the same hostname:
openshift_master_cluster_hostname=okd01.aixigo.de
openshift_master_cluster_public_hostname=okd01.aixigo.de
openshift_master_default_subdomain=okd01.aixigo.de

Is the hostname on the machine set to okd01.aixigo.de (check with 'hostname')? Verify that the openshift_master_cluster_hostname equals the 'hostname'
Try the redeploy_certificate playbook with openshift_master_cluster_public_hostname not set as according to this issue https://github.com/openshift/openshift-ansible/issues/6971 this might be a problem. I assume you don't use a loadbalancer.

If this still doesn't help, take a different DNS entry for the openshift_master_cluster_public_hostname pointing to the master node (e.g. openshift.aixigo.de with A record pointing to the IP of okd01.aixigo.de). If this still leads to issue, change the subdomain or master name completely.

My current, working setup looks like this:
openshift_master_default_subdomain=cloud.example.io # Public resolvable
openshift_master_cluster_public_hostname=openshift.example.io # Public resolvable
openshift_master_cluster_hostname=okd01-master01.vm.example.io # Private IP
  
openshift_master_overwrite_named_certificates=true
openshift_certificate_expiry_warning_days=0
openshift_master_named_certificates=[{"certfile": "/etc/acme.sh/example.io/fullchain.pem", "keyfile": "/etc/acme.sh/example.io/key.pem", "cafile": "/etc/acme.sh/example.io/ca.cer", "names": ["openshift.example.io"]}]
openshift_hosted_router_certificate={"certfile": "/etc/acme.sh/example.io/fullchain.pem", "keyfile": "/etc/acme.sh/example.io/key.pem", "cafile": "/etc/acme.sh/example.io/ca.cer"}

Just as a note, to prevent further issues, the certfile should point to the fullchain, and not only to the certificate, so that clients which don't know the intermediates certs (like curl or oc cli) work without error. 


Am Mi., 27. März 2019 um 14:56 Uhr schrieb Nikolas Philips <nikolas philips gmail com>:
Ok, I remember that I got this warning too and it seems to be unrelated to the master API certificate. 

As James already mentioned, maybe it's a problem that you set the public, internal and subdomain var to the same hostname:
openshift_master_cluster_hostname=okd01.aixigo.de
openshift_master_cluster_public_hostname=okd01.aixigo.de
openshift_master_default_subdomain=okd01.aixigo.de

Is the hostname on the machine set to okd01.aixigo.de (check with 'hostname')? Verify that the openshift_master_cluster_hostname equals the 'hostname'
Try the redeploy_certificate playbook with openshift_master_cluster_public_hostname not set as according to this issue https://github.com/openshift/openshift-ansible/issues/6971 this might be a problem. I assume you don't use a loadbalancer.

If this still doesn't help, take a different DNS entry for the openshift_master_cluster_public_hostname pointing to the master node (e.g. openshift.aixigo.de with A record pointing to the IP of okd01.aixigo.de). If this still leads to issue, change the subdomain or master name completely.

My current, working setup looks like this:
openshift_master_default_subdomain=cloud.example.io # Public resolvable
openshift_master_cluster_public_hostname=openshift.example.io # Public resolvable
openshift_master_cluster_hostname=okd01-master01.vm.example.io # Private IP
  
openshift_master_overwrite_named_certificates=true
openshift_certificate_expiry_warning_days=0
openshift_master_named_certificates=[{"certfile": "/etc/acme.sh/example.io/fullchain.pem", "keyfile": "/etc/acme.sh/example.io/key.pem", "cafile": "/etc/acme.sh/example.io/ca.cer", "names": ["openshift.example.io"]}]
openshift_hosted_router_certificate={"certfile": "/etc/acme.sh/example.io/fullchain.pem", "keyfile": "/etc/acme.sh/example.io/key.pem", "cafile": "/etc/acme.sh/example.io/ca.cer"}

Just as a note, to prevent further issues, the certfile should point to the fullchain, and not only to the certificate, so that clients which don't know the intermediates certs (like curl or oc cli) work without error. 


Am Mi., 27. März 2019 um 12:20 Uhr schrieb Harald Dunkel <harald dunkel aixigo de>:
PS: The ansible problem has been resolved: It seems that systemd got
confused. After manually running "systemctl daemon-reload" the playbook
succeeded.

The certificate for okd01.aixigo.de is still bad. There were no
warnings for redeploy-certificates, except for

:
TASK [Evaluate oo_etcd_to_migrate] *************************************************************************************
ok: [localhost] => (item=okd01a.ac.aixigo.de) => {"add_host": {"groups": ["oo_etcd_to_migrate"], "host_name": "okd01a.ac.aixigo.de", "host_vars": {}}, "changed": false, "item": "okd01a.ac.aixigo.de"}
  [WARNING]: Could not match supplied host pattern, ignoring: oo_lb_to_config
  [WARNING]: Could not match supplied host pattern, ignoring: oo_nfs_to_config
:


Regards
Harri

_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]