Hi Aleks,
I already configured the 4 values and if I miss the intermediate CA into
the destinationCACertificate field the Origin GUI shows to me a warning
related to the certificate. The export of the command is :
apiVersion: v1
kind: Route
metadata:
creationTimestamp: null
name: callcentergw-dev-external
spec:
host: callcenter.fineco.it
port:
targetPort: 443-tcp
tls:
caCertificate: |-
-----BEGIN CERTIFICATE-----
….
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----
certificate: |-
-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----
destinationCACertificate: |-
-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----
key: |-
-----BEGIN RSA PRIVATE KEY-----
…
-----END RSA PRIVATE KEY-----
termination: reencrypt
to:
kind: Service
name: callcentergw-dev
weight: 100
wildcardPolicy: None
status:
ingress:
- conditions:
- lastTransitionTime: 2017-10-18T07:54:22Z
status: "True"
type: Admitted
host: callcenter.test.local
routerName: router
wildcardPolicy: None
The second command results are the same in insecure and passing the cafile
formed by intermediate + root CA certificates.
* About to connect() to callcenter.test.local port 443 (#0)
* Trying 192.168.10.10...
* Connected to callcenter.test.local (192.168.10.10) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /tmp/new-cac.crt
CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject:
E=my.test.local,CN=callcenter.test.local,OU=test,O=Local=Milan,ST=Italy,C=IT
* start date: Mar 31 11:54:54 2016 GMT
* expire date: Mar 31 11:54:54 2018 GMT
* common name: callcenter.test.local
* issuer: CN=Local CA Subordinate,DC=milano,DC=test,DC=local,DC=it
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: callcenter.test.local
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Wed, 18 Oct 2017 08:29:17 GMT
< Server: Apache/2.4.28 (Unix) OpenSSL/1.0.2k-fips
< Location: https://callcenter.test.local/home
< Content-Length: 228
< Content-Type: text/html; charset=iso-8859-1
Marcello
On Tue, Oct 17, 2017 at 11:21 PM, Aleksandar Lazic <al...@me2digital.eu>
wrote:
> Hi Marcello.
>
> on Dienstag, 17. Oktober 2017 at 09:11 was written:
>
> > Hi,
> > I'm using a re-encrypt configuration to preserve the x-forwrded-for
> information. The configuration is:
> >
> > Name: callcentergw-dev-external
> > Namespace: dev-shared
> > Created: 17 hours ago
> > Labels: <none>
> > Annotations: <none>
> > Requested Host: callcenter.test.local
> > exposed on router router 17 hours ago
> > Path: <none>
> > TLS Termination: reencrypt
> > Insecure Policy: Redirect
> > Endpoint Port: 443-tcp
>
> > Service: callcentergw-dev
> > Weight: 100 (100%)
> > Endpoints: 10.131.0.138:443, 10.131.0.138:80
>
> I miss the destinationCACertificate maybe it's shown with export.
>
> oc export route -n dev-shared callcentergw-dev-external
>
> You can add in the GUI (=> Webinterface ) all four values under
> "Security" settings. There is a section "Certificates" .
>
> key: [as in edge termination]
> certificate: [as in edge termination]
> caCertificate: [as in edge termination]
> destinationCACertificate: ...
>
> Please can you also show us the output of
>
> curl -vk callcenter.test.local
>
> > Marcello
>
> Best Regards
> Aleks
>
> > Il 16 Ott 2017 20:45, "Aleksandar Lazic" <al...@me2digital.eu> ha
> scritto:
>
> > Hi Marcello.
>
> > on Montag, 16. Oktober 2017 at 15:23 was written:
>
> >> Hi,
> >> I have tried it and it worked fine but the problem is override the
> >> default wildcard certificate and configure a different certificate,
> >> because it's not possible to configure the intermediate CA chain into
> >> the admin panel. I tried to configure the CA cert with the root CA and
> >> the subordinate CA files and the router is ok but if I navigate the
> >> new route I received a security error.
>
> > do you use reencrypted or passthrough route
>
> > please can you show us the output of.
>
> > oc get route -n your-project
> > oc describe route -n your-project your-route
>
> > Best Regards
> > Aleks
>
>
> >> Marcello
>
> >> On Thu, Oct 12, 2017 at 1:14 PM, Aleksandar Lazic <al...@me2digital.eu>
> wrote:
>
> >>
> >> Hi Marcello Lorenzi.
>
> >> have you used -servername in s_client?
>
> >> The ssl solution is based on sni (
> >> https://en.wikipedia.org/wiki/Server_Name_Indication )
>
> >> Regards
> >> Aleks
>
> >> on Donnerstag, 12. Oktober 2017 at 13:02 was written:
>
>
>
> >> Hi All,
> >> thanks for the response and we checked the configuration. If I tried
> >> to check the certificated propagate with the passthrough configuration
> >> with openssl s_client and the certificate provided is the wilcard
> >> domain certificate and not the pod itself. Is it normal?
>
> >> Thanks,
> >> Marcello
>
> >> On Thu, Oct 12, 2017 at 10:34 AM, Aleksandar Lazic <
> al...@me2digital.eu> wrote:
>
> >> Hi.
>
> >> Additionally to joel suggestion can you also use reencrypted route
> >> if you want to talk encrypted with apache webserver.
>
> >> https://docs.openshift.org/3.6/architecture/networking/
> routes.html#re-encryption-termination
>
> >> Regards
> >> Aleks
>
> >> on Mittwoch, 11. Oktober 2017 at 15:51 was written:
>
>
> >> Sorry I meant it say, it *cannot modify the http request in any way.
> >> On Thu, 12 Oct 2017 at 12:51 am, Joel Pearson
> >> <japear...@agiledigital.com.au> wrote:
>
> >> Hi Marcelo,
>
> >> If you use Passthrough termination then that means that OpenShift
> >> cannot add the X-Forwarded-For header, because as the name suggests it
> >> is just passing the packets through and because it’s encrypted it can
> >> modify the http request in anyway.
>
> >> If you want X-Forwarded-For you will need to switch to Edge
> termination.
>
> >> Thanks,
>
> >> Joel
> >> On Thu, 12 Oct 2017 at 12:27 am, Marcello Lorenzi <cell...@gmail.com>
> wrote:
>
> >> Hi All,
> >> we tried to configure a route on Origin 3.6 with a Passthrough
> >> termination to an Apache webserver present into a single POD but we
> >> can't notice the X-Forwarded-Header to Apache logs. We tried to
> capture it without success.
>
> >> Could you confirm if there are some method to extract it from the POD
> side?
>
> >> Thanks,
> >> Marcello
> >> _______________________________________________
> >> users mailing list
> >> users@lists.openshift.redhat.com
> >> http://lists.openshift.redhat.com/openshiftmm/listinfo/users--
> >> Kind Regards,
>
> >> Joel Pearson
> >> Agile Digital | Senior Software Consultant
>
> >> Love Your Software™ | ABN 98 106 361 273
> >> p: 1300 858 277 | m: 0405 417 843 | w: agiledigital.com.au--
> >> Kind Regards,
>
> >> Joel Pearson
> >> Agile Digital | Senior Software Consultant
>
> >> Love Your Software™ | ABN 98 106 361 273
> >> p: 1300 858 277 | m: 0405 417 843 | w: agiledigital.com.au
>
_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
