Hi Aleks, I already configured the 4 values and if I miss the intermediate CA into the destinationCACertificate field the Origin GUI shows to me a warning related to the certificate. The export of the command is :
apiVersion: v1 kind: Route metadata: creationTimestamp: null name: callcentergw-dev-external spec: host: callcenter.fineco.it port: targetPort: 443-tcp tls: caCertificate: |- -----BEGIN CERTIFICATE----- …. -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- … -----END CERTIFICATE----- certificate: |- -----BEGIN CERTIFICATE----- … -----END CERTIFICATE----- destinationCACertificate: |- -----BEGIN CERTIFICATE----- … -----END CERTIFICATE----- key: |- -----BEGIN RSA PRIVATE KEY----- … -----END RSA PRIVATE KEY----- termination: reencrypt to: kind: Service name: callcentergw-dev weight: 100 wildcardPolicy: None status: ingress: - conditions: - lastTransitionTime: 2017-10-18T07:54:22Z status: "True" type: Admitted host: callcenter.test.local routerName: router wildcardPolicy: None The second command results are the same in insecure and passing the cafile formed by intermediate + root CA certificates. * About to connect() to callcenter.test.local port 443 (#0) * Trying 192.168.10.10... * Connected to callcenter.test.local (192.168.10.10) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /tmp/new-cac.crt CApath: none * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * Server certificate: * subject: E=my.test.local,CN=callcenter.test.local,OU=test,O=Local=Milan,ST=Italy,C=IT * start date: Mar 31 11:54:54 2016 GMT * expire date: Mar 31 11:54:54 2018 GMT * common name: callcenter.test.local * issuer: CN=Local CA Subordinate,DC=milano,DC=test,DC=local,DC=it > GET / HTTP/1.1 > User-Agent: curl/7.29.0 > Host: callcenter.test.local > Accept: */* > < HTTP/1.1 302 Found < Date: Wed, 18 Oct 2017 08:29:17 GMT < Server: Apache/2.4.28 (Unix) OpenSSL/1.0.2k-fips < Location: https://callcenter.test.local/home < Content-Length: 228 < Content-Type: text/html; charset=iso-8859-1 Marcello On Tue, Oct 17, 2017 at 11:21 PM, Aleksandar Lazic <al...@me2digital.eu> wrote: > Hi Marcello. > > on Dienstag, 17. Oktober 2017 at 09:11 was written: > > > Hi, > > I'm using a re-encrypt configuration to preserve the x-forwrded-for > information. The configuration is: > > > > Name: callcentergw-dev-external > > Namespace: dev-shared > > Created: 17 hours ago > > Labels: <none> > > Annotations: <none> > > Requested Host: callcenter.test.local > > exposed on router router 17 hours ago > > Path: <none> > > TLS Termination: reencrypt > > Insecure Policy: Redirect > > Endpoint Port: 443-tcp > > > Service: callcentergw-dev > > Weight: 100 (100%) > > Endpoints: 10.131.0.138:443, 10.131.0.138:80 > > I miss the destinationCACertificate maybe it's shown with export. > > oc export route -n dev-shared callcentergw-dev-external > > You can add in the GUI (=> Webinterface ) all four values under > "Security" settings. There is a section "Certificates" . > > key: [as in edge termination] > certificate: [as in edge termination] > caCertificate: [as in edge termination] > destinationCACertificate: ... > > Please can you also show us the output of > > curl -vk callcenter.test.local > > > Marcello > > Best Regards > Aleks > > > Il 16 Ott 2017 20:45, "Aleksandar Lazic" <al...@me2digital.eu> ha > scritto: > > > Hi Marcello. > > > on Montag, 16. Oktober 2017 at 15:23 was written: > > >> Hi, > >> I have tried it and it worked fine but the problem is override the > >> default wildcard certificate and configure a different certificate, > >> because it's not possible to configure the intermediate CA chain into > >> the admin panel. I tried to configure the CA cert with the root CA and > >> the subordinate CA files and the router is ok but if I navigate the > >> new route I received a security error. > > > do you use reencrypted or passthrough route > > > please can you show us the output of. > > > oc get route -n your-project > > oc describe route -n your-project your-route > > > Best Regards > > Aleks > > > >> Marcello > > >> On Thu, Oct 12, 2017 at 1:14 PM, Aleksandar Lazic <al...@me2digital.eu> > wrote: > > >> > >> Hi Marcello Lorenzi. > > >> have you used -servername in s_client? > > >> The ssl solution is based on sni ( > >> https://en.wikipedia.org/wiki/Server_Name_Indication ) > > >> Regards > >> Aleks > > >> on Donnerstag, 12. Oktober 2017 at 13:02 was written: > > > > >> Hi All, > >> thanks for the response and we checked the configuration. If I tried > >> to check the certificated propagate with the passthrough configuration > >> with openssl s_client and the certificate provided is the wilcard > >> domain certificate and not the pod itself. Is it normal? > > >> Thanks, > >> Marcello > > >> On Thu, Oct 12, 2017 at 10:34 AM, Aleksandar Lazic < > al...@me2digital.eu> wrote: > > >> Hi. > > >> Additionally to joel suggestion can you also use reencrypted route > >> if you want to talk encrypted with apache webserver. > > >> https://docs.openshift.org/3.6/architecture/networking/ > routes.html#re-encryption-termination > > >> Regards > >> Aleks > > >> on Mittwoch, 11. Oktober 2017 at 15:51 was written: > > > >> Sorry I meant it say, it *cannot modify the http request in any way. > >> On Thu, 12 Oct 2017 at 12:51 am, Joel Pearson > >> <japear...@agiledigital.com.au> wrote: > > >> Hi Marcelo, > > >> If you use Passthrough termination then that means that OpenShift > >> cannot add the X-Forwarded-For header, because as the name suggests it > >> is just passing the packets through and because it’s encrypted it can > >> modify the http request in anyway. > > >> If you want X-Forwarded-For you will need to switch to Edge > termination. > > >> Thanks, > > >> Joel > >> On Thu, 12 Oct 2017 at 12:27 am, Marcello Lorenzi <cell...@gmail.com> > wrote: > > >> Hi All, > >> we tried to configure a route on Origin 3.6 with a Passthrough > >> termination to an Apache webserver present into a single POD but we > >> can't notice the X-Forwarded-Header to Apache logs. We tried to > capture it without success. > > >> Could you confirm if there are some method to extract it from the POD > side? > > >> Thanks, > >> Marcello > >> _______________________________________________ > >> users mailing list > >> users@lists.openshift.redhat.com > >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users-- > >> Kind Regards, > > >> Joel Pearson > >> Agile Digital | Senior Software Consultant > > >> Love Your Software™ | ABN 98 106 361 273 > >> p: 1300 858 277 | m: 0405 417 843 | w: agiledigital.com.au-- > >> Kind Regards, > > >> Joel Pearson > >> Agile Digital | Senior Software Consultant > > >> Love Your Software™ | ABN 98 106 361 273 > >> p: 1300 858 277 | m: 0405 417 843 | w: agiledigital.com.au >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users