Re: web interface certificate ignored

[Ahmed Ossama]

Hi Harald,

I've been struggling with this issue for couple of months now.

We have OpenShift deployed on AWS, an elastic load-balancer of type NLB 
(network load balancer) is distributing the traffic over the three 
master nodes. We have a firewall doing man-in-the-middle decryption on 
the traffic going back and forth.


From the command line, curl works pretty much fine. But when using 
openssl client, it shows the internal openshift certificates. I tried 
the steps mentioned in this thread but none of them worked for me. We 
have another OpenShift 3.10 cluster that we didn't face this issue with.


The only conclusion I have is when you hit the masters at tcp layer 4, 
OpenShift responds with the default certificates. It's like the 
named_certificates section works at layer 7 and hitting lower than that, 
you get the default certificate.


On 4/1/19 3:13 AM, Harald Dunkel wrote:

Hi folks,

On 3/26/19 4:48 PM, Harald Dunkel wrote:


Problem is: I see all certificates in /etc/origin/master and
especially /etc/origin/master/named_certificates, but apparently
the web interface doesn't use it. openssl tells me:

% openssl s_client -connect okd01.example.com:8443
depth=1 CN = openshift-signer@1553169466
verify error:num=19:self signed certificate in certificate chain
CONNECTED(0003)
---
Certificate chain
  0 s:/CN=172.19.96.96
    i:/CN=openshift-signer@1553169466
  1 s:/CN=openshift-signer@1553169466
    i:/CN=openshift-signer@1553169466
---
:
:


This seems to come up only, if the web browser runs in the same subnet
as the web interface. If the browser runs in another subnet (e.g. on
my laptop connected via IPsec), then I see the expected certificate
chain.

Every helpful comment is highly appreciated
Harri

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


--
Regards,
Ahmed Ossama

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: web interface certificate ignored

[Harald Dunkel]

Hi folks,

On 3/26/19 4:48 PM, Harald Dunkel wrote:


Problem is: I see all certificates in /etc/origin/master and
especially /etc/origin/master/named_certificates, but apparently
the web interface doesn't use it. openssl tells me:

% openssl s_client -connect okd01.example.com:8443
depth=1 CN = openshift-signer@1553169466
verify error:num=19:self signed certificate in certificate chain
CONNECTED(0003)
---
Certificate chain
  0 s:/CN=172.19.96.96
    i:/CN=openshift-signer@1553169466
  1 s:/CN=openshift-signer@1553169466
    i:/CN=openshift-signer@1553169466
---
:
:


This seems to come up only, if the web browser runs in the same subnet
as the web interface. If the browser runs in another subnet (e.g. on
my laptop connected via IPsec), then I see the expected certificate
chain.

Every helpful comment is highly appreciated
Harri

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: web interface certificate ignored

[Harald Dunkel]

On 3/29/19 10:09 AM, Harald Dunkel wrote:

On 3/27/19 6:09 PM, Nikolas Philips wrote:

That's great to hear. So everything is now working for you?


Still testing, but I found the reason for a few arbitrary test
results I had by now: openshift can't handle IPv6. The cluster host
name has a DNS mapping for both IPv4 and IPv6.

Why does the web interface listen on IPv6, if its not supported?



Please delete the last post, that wasn't the reason for the
problems, either.

My bad
Harri

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: web interface certificate ignored

[Harald Dunkel]

On 3/27/19 6:09 PM, Nikolas Philips wrote:

That's great to hear. So everything is now working for you?


Still testing, but I found the reason for a few arbitrary test
results I had by now: openshift can't handle IPv6. The cluster host
name has a DNS mapping for both IPv4 and IPv6.

Why does the web interface listen on IPv6, if its not supported?


Regards
Harri

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: web interface certificate ignored

[Nikolas Philips]

That's great to hear. So everything is now working for you?
The differences between cluster_hostname and public_hostname ist nicely
described in this reddit comment:
https://www.reddit.com/r/openshift/comments/8w7edz/openshift_master_cluster_hostname_vs_openshift/e1tbr1t?utm_source=share&utm_medium=web2x
But both must point to the master server. Either through a load balancer or
the the master server(s) directly.

The openshift_master_default_subdomain, as you probably already know, is
used as default host for new routes. So you need a wildcard (*.domain) A
record pointing to the node where the load balancer/HA proxy is running.
This is typically the 'infra' node. This could be an arbitrary domain name,
as long as it points to the 'infra' node in some way, and has nothing to do
with the master hostnames, except when you deploy the 'infra' components
and 'master' components on the same server(s).

Just as note, as James already commented, I would suggest to use Let's
Encrypt certificates, as it reduces the effort to populate your CA
everywhere and it's free.
*https://remote-lab.net/aio-okd-311-lets-encrypt
*

If you're using acme.sh, for example, you could "easily" automate the
process of certificates renewal and rollout on OpenShift (master api and
router). I wrote once a small guide how you could do this here:
https://bugzilla.redhat.com/show_bug.cgi?id=1615937#c14



Am Mi., 27. März 2019 um 16:05 Uhr schrieb Harald Dunkel <
harald.dun...@aixigo.de>:

> Hi Nikolas,
>
> Good news first: I have setup 2 new kvm hosts okd02a and okd02b,
> created new certificates (using different key files, as you suggested),
> derived a new inventory file from the old one, and gave it a try:
> This time it worked. "openssl s_client" shows me the expected certificate
> chains for okd02.aixigo.de and console.okd02.aixigo.de.
>
> On 3/27/19 2:59 PM, Nikolas Philips wrote:
> > /Resending, as I forgot the User List as CC:/
> >
> > Ok, I remember that I got this warning too and it seems to be unrelated
> to the master API certificate.
> >
> > As James already mentioned, maybe it's a problem that you set the
> public, internal and subdomain var to the same hostname:
> >
> > openshift_master_cluster_hostname=okd01.aixigo.de  <
> http://okd01.aixigo.de/>
> > openshift_master_cluster_public_hostname=okd01.aixigo.de  <
> http://okd01.aixigo.de/>
> > openshift_master_default_subdomain=okd01.aixigo.de  <
> http://okd01.aixigo.de/>
> >
>
> AFAICT this is a correct approach, but I cannot say that I really
> got the difference between these 3 vars. Since okd02 works, I
> would suggest to keep these settings for okd01.
>
> >
> > Just as a note, to prevent further issues, the certfile should point to
> the fullchain, and not only to the certificate, so that clients which don't
> know the intermediates certs (like curl or oc cli) work without error.
> >
>
> I will uninstall okd01 and deploy again, using the full chain in the
> certificate, as you suggested.
>
>
> Thanx very much for your help
> Harri
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: web interface certificate ignored

[Harald Dunkel]

Hi Nikolas,

Good news first: I have setup 2 new kvm hosts okd02a and okd02b,
created new certificates (using different key files, as you suggested),
derived a new inventory file from the old one, and gave it a try:
This time it worked. "openssl s_client" shows me the expected certificate
chains for okd02.aixigo.de and console.okd02.aixigo.de.

On 3/27/19 2:59 PM, Nikolas Philips wrote:

/Resending, as I forgot the User List as CC:/

Ok, I remember that I got this warning too and it seems to be unrelated to the 
master API certificate.

As James already mentioned, maybe it's a problem that you set the public, 
internal and subdomain var to the same hostname:

openshift_master_cluster_hostname=okd01.aixigo.de  
openshift_master_cluster_public_hostname=okd01.aixigo.de  

openshift_master_default_subdomain=okd01.aixigo.de  



AFAICT this is a correct approach, but I cannot say that I really
got the difference between these 3 vars. Since okd02 works, I
would suggest to keep these settings for okd01.



Just as a note, to prevent further issues, the certfile should point to the 
fullchain, and not only to the certificate, so that clients which don't know 
the intermediates certs (like curl or oc cli) work without error.



I will uninstall okd01 and deploy again, using the full chain in the
certificate, as you suggested.


Thanx very much for your help
Harri

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: web interface certificate ignored

[Nikolas Philips]

*Resending, as I forgot the User List as CC:*

Ok, I remember that I got this warning too and it seems to be unrelated to
the master API certificate.

As James already mentioned, maybe it's a problem that you set the public,
internal and subdomain var to the same hostname:

openshift_master_cluster_hostname=okd01.aixigo.de
openshift_master_cluster_public_hostname=okd01.aixigo.de
openshift_master_default_subdomain=okd01.aixigo.de


Is the hostname on the machine set to okd01.aixigo.de (check with
'hostname')? Verify that the openshift_master_cluster_hostname equals the
'hostname'
Try the redeploy_certificate playbook with
openshift_master_cluster_public_hostname
not set as according to this issue
https://github.com/openshift/openshift-ansible/issues/6971 this might be a
problem. I assume you don't use a loadbalancer.

If this still doesn't help, take a different DNS entry for the
openshift_master_cluster_public_hostname pointing to the master node (e.g.
openshift.aixigo.de with A record pointing to the IP of okd01.aixigo.de).
If this still leads to issue, change the subdomain or master name
completely.

My current, working setup looks like this:
openshift_master_default_subdomain=cloud.example.io # Public resolvable
openshift_master_cluster_public_hostname=openshift.example.io # Public
resolvable
openshift_master_cluster_hostname=okd01-master01.vm.example.io # Private IP

openshift_master_overwrite_named_certificates=true
openshift_certificate_expiry_warning_days=0
openshift_master_named_certificates=[{"certfile": "/etc/
acme.sh/example.io/fullchain.pem", "keyfile": "/etc/
acme.sh/example.io/key.pem", "cafile": "/etc/acme.sh/example.io/ca.cer",
"names": ["openshift.example.io"]}]
openshift_hosted_router_certificate={"certfile": "/etc/
acme.sh/example.io/fullchain.pem", "keyfile": "/etc/
acme.sh/example.io/key.pem", "cafile": "/etc/acme.sh/example.io/ca.cer"}

Just as a note, to prevent further issues, the certfile should point to the
fullchain, and not only to the certificate, so that clients which don't
know the intermediates certs (like curl or oc cli) work without error.


Am Mi., 27. März 2019 um 14:56 Uhr schrieb Nikolas Philips <
nikolas.phil...@gmail.com>:

> Ok, I remember that I got this warning too and it seems to be unrelated to
> the master API certificate.
>
> As James already mentioned, maybe it's a problem that you set the public,
> internal and subdomain var to the same hostname:
>
> openshift_master_cluster_hostname=okd01.aixigo.de
> openshift_master_cluster_public_hostname=okd01.aixigo.de
> openshift_master_default_subdomain=okd01.aixigo.de
>
>
> Is the hostname on the machine set to okd01.aixigo.de (check with
> 'hostname')? Verify that the openshift_master_cluster_hostname equals the
> 'hostname'
> Try the redeploy_certificate playbook with 
> openshift_master_cluster_public_hostname
> not set as according to this issue
> https://github.com/openshift/openshift-ansible/issues/6971 this might be
> a problem. I assume you don't use a loadbalancer.
>
> If this still doesn't help, take a different DNS entry for the
> openshift_master_cluster_public_hostname pointing to the master node
> (e.g. openshift.aixigo.de with A record pointing to the IP of
> okd01.aixigo.de). If this still leads to issue, change the subdomain or
> master name completely.
>
> My current, working setup looks like this:
> openshift_master_default_subdomain=cloud.example.io # Public resolvable
> openshift_master_cluster_public_hostname=openshift.example.io # Public
> resolvable
> openshift_master_cluster_hostname=okd01-master01.vm.example.io # Private
> IP
>
> openshift_master_overwrite_named_certificates=true
> openshift_certificate_expiry_warning_days=0
> openshift_master_named_certificates=[{"certfile": "/etc/
> acme.sh/example.io/fullchain.pem", "keyfile": "/etc/
> acme.sh/example.io/key.pem", "cafile": "/etc/acme.sh/example.io/ca.cer",
> "names": ["openshift.example.io"]}]
> openshift_hosted_router_certificate={"certfile": "/etc/
> acme.sh/example.io/fullchain.pem", "keyfile": "/etc/
> acme.sh/example.io/key.pem", "cafile": "/etc/acme.sh/example.io/ca.cer"}
>
> Just as a note, to prevent further issues, the certfile should point to
> the fullchain, and not only to the certificate, so that clients which don't
> know the intermediates certs (like curl or oc cli) work without error.
>
>
> Am Mi., 27. März 2019 um 12:20 Uhr schrieb Harald Dunkel <
> harald.dun...@aixigo.de>:
>
>> PS: The ansible problem has been resolved: It seems that systemd got
>> confused. After manually running "systemctl daemon-reload" the playbook
>> succeeded.
>>
>> The certificate for okd01.aixigo.de is still bad. There were no
>> warnings for redeploy-certificates, except for
>>
>> :
>> TASK [Evaluate oo_etcd_to_migrate]
>> *
>> ok: [localhost] => (item=okd01a.ac.aixigo.de) => {"add_host": {"groups":
>> ["oo_etcd_to_migrate"], "host_name": "okd01a.ac.aixigo.de",

Re: web interface certificate ignored

[Harald Dunkel]

PS: The ansible problem has been resolved: It seems that systemd got
confused. After manually running "systemctl daemon-reload" the playbook
succeeded.

The certificate for okd01.aixigo.de is still bad. There were no
warnings for redeploy-certificates, except for

:
TASK [Evaluate oo_etcd_to_migrate] 
*
ok: [localhost] => (item=okd01a.ac.aixigo.de) => {"add_host": {"groups": ["oo_etcd_to_migrate"], "host_name": 
"okd01a.ac.aixigo.de", "host_vars": {}}, "changed": false, "item": "okd01a.ac.aixigo.de"}
 [WARNING]: Could not match supplied host pattern, ignoring: oo_lb_to_config
 [WARNING]: Could not match supplied host pattern, ignoring: oo_nfs_to_config
:


Regards
Harri

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: web interface certificate ignored

[Harald Dunkel]

Hi Niklas,

lets drop "example.com" and switch to the actual host and domain
names. Inventory file and master-config.yaml are attached.

On 3/26/19 5:29 PM, Nikolas Philips wrote:

Hi Harri,
as far as I can tell your inventory config looks ok.
Is in the certificate "/work/okd01/ssl/okd01.cert.pem" the hostname/CN "okd01.example.com 
" listed? For example '*.okd01.example.com 
' wouldn't work. I remember having a similar issue...


The certificates are correct, AFAICT. CN is set to okd01.aixigo.de.
There is also a DNS entry in the certificate:

X509v3 Subject Alternative Name:
DNS:okd01.aixigo.de


Did you get any warnings while running the redeploy_certificates playbook?


I tried: The redeploy-certificates playbook got stuck for more than
60 minutes :-(.

Last message

:
:
PLAY [Restart nodes] 
***

TASK [Gathering Facts] 
*
ok: [okd01b.ac.aixigo.de]

TASK [Restart docker] 
**


AFAICS it is stuck on okd01b here:

root  48897   7406  0 09:59 ?00:00:00  \_ sshd: root@pts/1
root  49097  48897  0 09:59 pts/100:00:00  \_ /bin/sh -c /usr/bin/python 
/root/.ansible/tmp/ansible-tmp-1553677155.03-134576205842945/AnsiballZ_systemd.py 
&& sle
root  49109  49097  0 09:59 pts/100:00:00  \_ /usr/bin/python 
/root/.ansible/tmp/ansible-tmp-1553677155.03-134576205842945/AnsiballZ_systemd.py
root  49117  49109  0 09:59 pts/100:00:00  \_ 
/usr/bin/systemctl restart docker
root  49118  49117  0 09:59 pts/100:00:00  \_ 
/usr/bin/systemd-tty-ask-password-agent --watch
root  49119  49117  0 09:59 pts/100:00:00  \_ 
/usr/bin/pkttyagent --notify-fd 5 --fallback

I am not sure, but shouldn't ansible run its remote scripts
without controlling terminal?


Did you check the master API logs (run from master node with 'master-logs api 
api') is there a hint why the certs aren't delivered?
Is in the /etc/origin/master/master-config.yaml (see namedCertificates) the 
correct certificate referenced?


This is what I see in master-config.yaml (attached):

:
:
serviceAccountConfig:
  limitSecretReferences: false
  managedNames:
  - default
  - builder
  - deployer
  masterCA: ca-bundle.crt
  privateKeyFile: serviceaccounts.private.key
  publicKeyFiles:
  - serviceaccounts.public.key
servingInfo:
  bindAddress: 0.0.0.0:8443
  bindNetwork: tcp4
  certFile: master.server.crt
  clientCA: ca.crt
  keyFile: master.server.key
  maxRequestsInFlight: 500
  namedCertificates:
  - certFile: /etc/origin/master/named_certificates/okd01.aixigo.de.cert.pem
keyFile: /etc/origin/master/named_certificates/okd01.aixigo.de.key.pem
names:
- okd01.aixigo.de
  requestTimeoutSeconds: 3600
volumeConfig:
  dynamicProvisioningEnabled: true


Please note that the cafile for named isn't mentioned in master-config.yaml
at all.


Did you used on purpose the same key for two different certificates?



Yes. Its the same IP address, anyway. Next time I will use a common
certificate for okd01.aixigo.de and *.okd01.aixigo.de.


Regards
Harri
# Create an OSEv3 group that contains the masters, nodes, and etcd groups

[OSEv3:children]
masters
nodes
etcd

# Set variables common for all OSEv3 hosts
[OSEv3:vars]
clustername=okd01
clusterdomain=aixigo.de

# openshift_clusterid=okd01.aixigo.de
openshift_release="3.11"
openshift_deployment_type=origin

openshift_master_cluster_hostname=okd01.aixigo.de
openshift_master_cluster_public_hostname=okd01.aixigo.de
openshift_master_default_subdomain=okd01.aixigo.de

# SSH user, this user should allow ssh based auth without requiring a password
ansible_ssh_user=root

# If ansible_ssh_user is not root, ansible_become must be set to true
#ansible_become=true

openshift_master_overwrite_named_certificates=true 
openshift_master_named_certificates=[{"certfile": 
"/export/source/hdunkel/work/okd01/ssl/okd01.aixigo.de.cert.pem", "keyfile": 
"/export/source/hdunkel/work/okd01/ssl/okd01.aixigo.de.key.pem", "names": 
["okd01.aixigo.de"], "cafile": 
"/export/source/hdunkel/work/okd01/ssl/ca.cert.pem" }]
openshift_hosted_router_certificate={"certfile": 
"/export/source/hdunkel/work/okd01/ssl/star.okd01.aixigo.de.cert.pem", 
"keyfile": "/export/source/hdunkel/work/okd01/ssl/okd01.aixigo.de.key.pem", 
"cafile": "/export/source/hdunkel/work/okd01/ssl/ca.cert.pem" }

# login credentials for admin accout
openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 
'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider'}]
openshift_master_htpasswd_users={'admin': 
'$apr1$xxx', 'hdunkel': 
'$apr1$yy

Re: web interface certificate ignored

[Nikolas Philips]

Hi Harri,
as far as I can tell your inventory config looks ok.
Is in the certificate "/work/okd01/ssl/okd01.cert.pem" the hostname/CN "
okd01.example.com" listed? For example '*.okd01.example.com' wouldn't work.
I remember having a similar issue...
Did you get any warnings while running the redeploy_certificates playbook?
Did you check the master API logs (run from master node with 'master-logs
api api') is there a hint why the certs aren't delivered?
Is in the /etc/origin/master/master-config.yaml (see namedCertificates) the
correct certificate referenced?
Did you used on purpose the same key for two different certificates?

Regards,
Nikolas

Am Di., 26. März 2019 um 17:21 Uhr schrieb James Cassell <
fedoraproj...@cyberpear.com>:

> On Tue, Mar 26, 2019, at 11:49 AM, Harald Dunkel wrote:
> > Hi folks,
> >
> > I am running okd 3.11 on Centos 7.6. The inventory file registers
> > 2 certificate chains (based upon a common, private CA), as described on
> >
> https://docs.openshift.com/container-platform/3.11/install_config/certificate_customization.html
> >
> > :
> > openshift_master_overwrite_named_certificates=true
> > openshift_master_named_certificates=[{"certfile":
> > "/work/okd01/ssl/okd01.cert.pem", "keyfile":
> > "/work/okd01/ssl/okd01.key.pem", "names": ["okd01.example.com"],
> > "cafile": "/work/okd01/ssl/ca.cert.pem" }]
> > openshift_hosted_router_certificate={"certfile":
> > "/work/okd01/ssl/star.okd01.cert.pem", "keyfile":
> > "/work/okd01/ssl/okd01.key.pem", "cafile":
> > "/work/okd01/ssl/ca.cert.pem" }
> > :
> >
>
> Here's what worked for me:
>
> # Custom Certs: https://blog.openshift.com/lets-encrypt-acme-v2-api/
> openshift_master_overwrite_named_certificates=true
> 
> openshift_master_named_certificates=[{"certfile": "{{ inventory_dir
> }}/certs/archive/master.example.com/fullchain1.pem", "keyfile": "{{
> inventory_dir }}/certs/archive/master.example.com/privkey1.pem", "names":
> ["master.example.com"], "cafile": "{{ inventory_dir }}/certs/archive/
> master.example.com/fullchain1.pem"}]
> openshift_hosted_router_certificate={"certfile": "{{ inventory_dir
> }}/certs/archive/master.example.com/fullchain1.pem", "keyfile": "{{
> inventory_dir }}/certs/archive/master.example.com/privkey1.pem",
> "cafile": "{{ inventory_dir }}/certs/archive/
> master.example.com/fullchain1.pem"}
>
>
> I may have had to re-deploy OpenShift to make it take full effect, but I
> think it worked mostly fine with the redeploy-certificates.yml playbook.
>
> I don't know if it's supported to have the console/api domain as a
> subdomain of router wildcard domain?
>
>
> V/r,
> James Cassell
>
>
>
> > Problem is: I see all certificates in /etc/origin/master and
> > especially /etc/origin/master/named_certificates, but apparently
> > the web interface doesn't use it. openssl tells me:
> >
> > % openssl s_client -connect okd01.example.com:8443
> > depth=1 CN = openshift-signer@1553169466
> > verify error:num=19:self signed certificate in certificate chain
> > CONNECTED(0003)
> > ---
> > Certificate chain
> >   0 s:/CN=172.19.96.96
> > i:/CN=openshift-signer@1553169466
> >   1 s:/CN=openshift-signer@1553169466
> > i:/CN=openshift-signer@1553169466
> > ---
> > :
> > :
> >
> > Please note the self signed certificates. For the cluster console
> > I see the expected certificates instead:
> >
> > % openssl s_client -connect console.okd01.example.com:443
> > depth=2 C = DE, O = example AG, OU = example Certificate Authority, CN =
> root-CA
> > verify return:1
> > depth=1 C = DE, O = example AG, OU = example Certificate Authority, CN =
> tls-CA
> > verify return:1
> > depth=0 C = DE, O = example AG, CN = *.okd01.example.com
> > verify return:1
> > CONNECTED(0003)
> > ---
> > Certificate chain
> >   0 s:/C=DE/O=example AG/CN=*.okd01.example.com
> > i:/C=DE/O=example AG/OU=example Certificate Authority/CN=tls-CA
> >   1 s:/C=DE/O=example AG/OU=example Certificate Authority/CN=tls-CA
> > i:/C=DE/O=example AG/OU=example Certificate Authority/CN=root-CA
> >   2 s:/C=DE/O=example AG/OU=example Certificate Authority/CN=root-CA
> > i:/C=DE/O=example AG/OU=example Certificate Authority/CN=root-CA
> > ---
> > Server certificate
> > :
> > :
> >
> > How comes my named certificates have been lost/ignored? Are there
> > additional steps required I was too blind to see?
> >
> >
> > Every helpful comment is highly appreciated
> > Harri
> >
> > ___
> > users mailing list
> > users@lists.openshift.redhat.com
> > http://lists.openshift.redhat.com/openshiftmm/listinfo/users
> >
>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/o

Re: web interface certificate ignored

[James Cassell]

On Tue, Mar 26, 2019, at 11:49 AM, Harald Dunkel wrote:
> Hi folks,
> 
> I am running okd 3.11 on Centos 7.6. The inventory file registers
> 2 certificate chains (based upon a common, private CA), as described on
> https://docs.openshift.com/container-platform/3.11/install_config/certificate_customization.html
> 
> :
> openshift_master_overwrite_named_certificates=true
> openshift_master_named_certificates=[{"certfile": 
> "/work/okd01/ssl/okd01.cert.pem", "keyfile": 
> "/work/okd01/ssl/okd01.key.pem", "names": ["okd01.example.com"], 
> "cafile": "/work/okd01/ssl/ca.cert.pem" }]
> openshift_hosted_router_certificate={"certfile": 
> "/work/okd01/ssl/star.okd01.cert.pem", "keyfile": 
> "/work/okd01/ssl/okd01.key.pem", "cafile": 
> "/work/okd01/ssl/ca.cert.pem" }
> :
> 

Here's what worked for me:

# Custom Certs: https://blog.openshift.com/lets-encrypt-acme-v2-api/
openshift_master_overwrite_named_certificates=true
openshift_master_named_certificates=[{"certfile": "{{ inventory_dir 
}}/certs/archive/master.example.com/fullchain1.pem", "keyfile": "{{ 
inventory_dir }}/certs/archive/master.example.com/privkey1.pem", "names": 
["master.example.com"], "cafile": "{{ inventory_dir 
}}/certs/archive/master.example.com/fullchain1.pem"}]
openshift_hosted_router_certificate={"certfile": "{{ inventory_dir 
}}/certs/archive/master.example.com/fullchain1.pem", "keyfile": "{{ 
inventory_dir }}/certs/archive/master.example.com/privkey1.pem", "cafile": "{{ 
inventory_dir }}/certs/archive/master.example.com/fullchain1.pem"}


I may have had to re-deploy OpenShift to make it take full effect, but I think 
it worked mostly fine with the redeploy-certificates.yml playbook.

I don't know if it's supported to have the console/api domain as a subdomain of 
router wildcard domain?


V/r,
James Cassell



> Problem is: I see all certificates in /etc/origin/master and
> especially /etc/origin/master/named_certificates, but apparently
> the web interface doesn't use it. openssl tells me:
> 
> % openssl s_client -connect okd01.example.com:8443
> depth=1 CN = openshift-signer@1553169466
> verify error:num=19:self signed certificate in certificate chain
> CONNECTED(0003)
> ---
> Certificate chain
>   0 s:/CN=172.19.96.96
> i:/CN=openshift-signer@1553169466
>   1 s:/CN=openshift-signer@1553169466
> i:/CN=openshift-signer@1553169466
> ---
> :
> :
> 
> Please note the self signed certificates. For the cluster console
> I see the expected certificates instead:
> 
> % openssl s_client -connect console.okd01.example.com:443
> depth=2 C = DE, O = example AG, OU = example Certificate Authority, CN = 
> root-CA
> verify return:1
> depth=1 C = DE, O = example AG, OU = example Certificate Authority, CN = 
> tls-CA
> verify return:1
> depth=0 C = DE, O = example AG, CN = *.okd01.example.com
> verify return:1
> CONNECTED(0003)
> ---
> Certificate chain
>   0 s:/C=DE/O=example AG/CN=*.okd01.example.com
> i:/C=DE/O=example AG/OU=example Certificate Authority/CN=tls-CA
>   1 s:/C=DE/O=example AG/OU=example Certificate Authority/CN=tls-CA
> i:/C=DE/O=example AG/OU=example Certificate Authority/CN=root-CA
>   2 s:/C=DE/O=example AG/OU=example Certificate Authority/CN=root-CA
> i:/C=DE/O=example AG/OU=example Certificate Authority/CN=root-CA
> ---
> Server certificate
> :
> :
> 
> How comes my named certificates have been lost/ignored? Are there
> additional steps required I was too blind to see?
> 
> 
> Every helpful comment is highly appreciated
> Harri
> 
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>

___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users