[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: web interface certificate ignored



That's great to hear. So everything is now working for you?
The differences between cluster_hostname and public_hostname ist nicely described in this reddit comment: https://www.reddit.com/r/openshift/comments/8w7edz/openshift_master_cluster_hostname_vs_openshift/e1tbr1t?utm_source=share&utm_medium=web2x
But both must point to the master server. Either through a load balancer or the the master server(s) directly.

The openshift_master_default_subdomain, as you probably already know, is used as default host for new routes. So you need a wildcard (*.domain) A record pointing to the node where the load balancer/HA proxy is running. This is typically the 'infra' node. This could be an arbitrary domain name, as long as it points to the 'infra' node in some way, and has nothing to do with the master hostnames, except when you deploy the 'infra' components and 'master' components on the same server(s). 

Just as note, as James already commented, I would suggest to use Let's Encrypt certificates, as it reduces the effort to populate your CA everywhere and it's free. 

If you're using acme.sh, for example, you could "easily" automate the process of certificates renewal and rollout on OpenShift (master api and router). I wrote once a small guide how you could do this here: https://bugzilla.redhat.com/show_bug.cgi?id=1615937#c14 
 


Am Mi., 27. März 2019 um 16:05 Uhr schrieb Harald Dunkel <harald dunkel aixigo de>:
Hi Nikolas,

Good news first: I have setup 2 new kvm hosts okd02a and okd02b,
created new certificates (using different key files, as you suggested),
derived a new inventory file from the old one, and gave it a try:
This time it worked. "openssl s_client" shows me the expected certificate
chains for okd02.aixigo.de and console.okd02.aixigo.de.

On 3/27/19 2:59 PM, Nikolas Philips wrote:
> /Resending, as I forgot the User List as CC:/
>
> Ok, I remember that I got this warning too and it seems to be unrelated to the master API certificate.
>
> As James already mentioned, maybe it's a problem that you set the public, internal and subdomain var to the same hostname:
>
> openshift_master_cluster_hostname=okd01.aixigo.de  <http://okd01.aixigo.de/>
> openshift_master_cluster_public_hostname=okd01.aixigo.de  <http://okd01.aixigo.de/>
> openshift_master_default_subdomain=okd01.aixigo.de  <http://okd01.aixigo.de/>
>

AFAICT this is a correct approach, but I cannot say that I really
got the difference between these 3 vars. Since okd02 works, I
would suggest to keep these settings for okd01.

>
> Just as a note, to prevent further issues, the certfile should point to the fullchain, and not only to the certificate, so that clients which don't know the intermediates certs (like curl or oc cli) work without error.
>

I will uninstall okd01 and deploy again, using the full chain in the
certificate, as you suggested.


Thanx very much for your help
Harri

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]