Hi Jim, thanks for reply. I have made some investigation how it works and I have an idea.
We have problem with certification authority and we bought the new wildcard certificate. I tried to change the certificate in the secured route but nothing happen. I dive into router pod and I found this row bind 127.0.0.1:10444 <http://127.0.0.1:10444> ssl no-sslv3 crt /etc/pki/tls/private/tls.crt crt /var/lib/haproxy/router/certs accept-proxy In the /etc/pki/tls/private/tls.crt is the wildcard certificate for the domain rohlik.cz and in the directory /var/lib/haproxy/router/certs there are three certificates. Two are the same as the default certificate and the last is the “new” certificate (wildcard certificate too). In HAproxy documentation is written that certificates are picked in aplhabetical order. If a directory name is used instead of a PEM file, then all files found in that directory will be loaded in alphabetic order unless their name ends with '.issuer' or '.ocsp' (reserved extensions). This directive may be specified multiple times in order to load certificates from multiple files or directories. The certificates will be presented to clients who provide a valid TLS Server Name Indication field matching one of their CN or alt subjects. Wildcards are supported, where a wildcard character '*' is used instead of the first hostname component (eg: *.example.org matches www.example.org but notwww.sub.example.org). When I delete environment settings from the dc/router (the default certificate) and delete the other 2 certificates all starts working. Why ? Because the is only one certificate which matches and the HAproxy picked up the correct. In the openshift documentation there is no information how to change certificate. I can deploy new router with changed —default-certificate - but - how can I correctly delete the old router ? I i tried this oc delete dc/router svc/router rolebinding/router-router-role serviceaccounts/router secret/router-certs deploymentconfig "router" deleted service "router" deleted serviceaccount "router" deleted secret "router-certs" deleted Error from server: rolebinding "router-router-role" not found and creating is erroneous too oadm router --default-cert=cert.new.pem info: password for stats user admin has been set to AaTk1rxtyh --> Creating router router ... secret "router-certs" created serviceaccount "router" created error: rolebinding "router-router-role" already exists deploymentconfig "router" created service "router" created --> Failed How can I correctly delete the role binding and deploy the router correctly? Thanks Mila Dne 14. října 2016 v 10:13:28, Jim Minter (jmin...@redhat.com) napsal/a: Hi Mila, There are a number of different HTTPS certificates in OpenShift. I'm supposing you're talking about the one served by the haproxy for actual end-user services hosted on OpenShift? 'Route' objects in OpenShift can specify their own TLS certs, overriding the default specifically for the route in question. See [1] as a starting point. The default TLS cert presented by haproxy can be set using oadm router --default-cert. There's a bit of information at [2] as a starting point. It's also worth noting that some browsers don't react very well to the TLS cert changing under their feet, and they don't always report what's going on correctly until a restart. The following command can be useful in seeing what's going on: $ openssl s_client -connect <haproxy_ip>:443 -servername <route_name_you're_testing> </dev/null | openssl x509 -noout -text [1] https://docs.openshift.org/latest/architecture/core_concepts/routes.html#secured-routes [2] https://docs.openshift.org/latest/install_config/router/default_haproxy_router.html#using-wildcard-certificates Cheers, Jim -- Jim Minter Principal Software Engineer, Red Hat UK On 13/10/16 20:32, Miloslav Vlach wrote: > Hi all, > > I would like to change https certificate. I modified the routes and the > certificate served is not changed. Know somebody why ? The certificates > are correctly written to the router pod. I don’t understand > > bind 127.0.0.1:10444 <http://127.0.0.1:10444> ssl no-sslv3 crt > /etc/pki/tls/private/tls.crt crt /var/lib/haproxy/router/certs accept-proxy > > > In the directory certs there are many PEM certificates. But the server > returns the /etc/pki/tls/private/tls.crt > > I have question: > > 1. how correctly change the certificate for all routes > 2. why didn’t works this solutions for the specific route > > Is there any way how to deploy/update new router (oadm router) without > deleting them ? > > Thanks Mila > > > > _______________________________________________ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users