Hi, we have update the router wildcard certificate and we have re-created the route and now the certificate works fine.
Thanks for the support, Marcello On Mon, Oct 23, 2017 at 9:53 PM, Aleksandar Lazic <al...@me2digital.eu> wrote: > Hi Marcello. > > on Mittwoch, 18. Oktober 2017 at 10:32 was written: > > > Hi Aleks, > > I already configured the 4 values and if I miss the intermediate CA > > into the destinationCACertificate field the Origin GUI shows to me a > > warning related to the certificate. The export of the command is : > > Are there any errors in the router logs? > > oc logs -n dev-shared <POD> |egrep callcentergw > > > apiVersion: v1 > > > > kind: Route > > > > metadata: > > > > creationTimestamp: null > > > > name: callcentergw-dev-external > > > > spec: > > > > host: callcenter.fineco.it > > > > port: > > > > targetPort: 443-tcp > > > > tls: > > > > caCertificate: |- > > > > -----BEGIN CERTIFICATE----- > > > > …. > > > > -----END CERTIFICATE----- > > > > -----BEGIN CERTIFICATE----- > > > > … > > > > -----END CERTIFICATE----- > > > > certificate: |- > > > > -----BEGIN CERTIFICATE----- > > > > … > > > > -----END CERTIFICATE----- > > > > destinationCACertificate: |- > > > > -----BEGIN CERTIFICATE----- > > > > … > > > > -----END CERTIFICATE----- > > > > key: |- > > > > -----BEGIN RSA PRIVATE KEY----- > > > > … > > > > -----END RSA PRIVATE KEY----- > > > > termination: reencrypt > > > > to: > > > > kind: Service > > > > name: callcentergw-dev > > > > weight: 100 > > > > wildcardPolicy: None > > > > status: > > > > ingress: > > > > - conditions: > > > > - lastTransitionTime: 2017-10-18T07:54:22Z > > > > status: "True" > > > > type: Admitted > > > > host: callcenter.test.local > > > > routerName: router > > > > wildcardPolicy: None > > > > > > The second command results are the same in insecure and passing the > > cafile formed by intermediate + root CA certificates. > > > > > > * About to connect() to callcenter.test.local port 443 (#0) > > > * Trying 192.168.10.10... > > > * Connected to callcenter.test.local (192.168.10.10) port 443 (#0) > > > * Initializing NSS with certpath: sql:/etc/pki/nssdb > > > * CAfile: /tmp/new-cac.crt > > > CApath: none > > > * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > > > * Server certificate: > > > * subject: > > E=my.test.local,CN=callcenter.test.local,OU=test,O=Local= > Milan,ST=Italy,C=IT > > > * start date: Mar 31 11:54:54 2016 GMT > > > * expire date: Mar 31 11:54:54 2018 GMT > > > * common name: callcenter.test.local > > > * issuer: CN=Local CA Subordinate,DC=milano,DC=test,DC=local,DC=it > > >> GET / HTTP/1.1 > > >> User-Agent: curl/7.29.0 > > >> Host: callcenter.test.local > > >> Accept: */* > > >> > > > < HTTP/1.1 302 Found > > > < Date: Wed, 18 Oct 2017 08:29:17 GMT > > > < Server: Apache/2.4.28 (Unix) OpenSSL/1.0.2k-fips > > > < Location: https://callcenter.test.local/home > > > < Content-Length: 228 > > > > > > < Content-Type: text/html; charset=iso-8859-1 > > > > > > Marcello > > > > > > > > > > > On Tue, Oct 17, 2017 at 11:21 PM, Aleksandar Lazic <al...@me2digital.eu> > wrote: > > > Hi Marcello. > > > on Dienstag, 17. Oktober 2017 at 09:11 was written: > > >> Hi, > >> I'm using a re-encrypt configuration to preserve the x-forwrded-for > information. The configuration is: > >> > >> Name: callcentergw-dev-external > >> Namespace: dev-shared > >> Created: 17 hours ago > >> Labels: <none> > >> Annotations: <none> > >> Requested Host: callcenter.test.local > >> exposed on router router 17 hours ago > >> Path: <none> > >> TLS Termination: reencrypt > >> Insecure Policy: Redirect > >> Endpoint Port: 443-tcp > > >> Service: callcentergw-dev > >> Weight: 100 (100%) > >> Endpoints: 10.131.0.138:443, 10.131.0.138:80 > > > I miss the destinationCACertificate maybe it's shown with export. > > > oc export route -n dev-shared callcentergw-dev-external > > > You can add in the GUI (=> Webinterface ) all four values under > > "Security" settings. There is a section "Certificates" . > > > key: [as in edge termination] > > certificate: [as in edge termination] > > caCertificate: [as in edge termination] > > destinationCACertificate: ... > > > Please can you also show us the output of > > > curl -vk callcenter.test.local > > >> Marcello > > > Best Regards > > Aleks > > > >> Il 16 Ott 2017 20:45, "Aleksandar Lazic" <al...@me2digital.eu> ha > scritto: > > >> Hi Marcello. > > >> on Montag, 16. Oktober 2017 at 15:23 was written: > > >>> Hi, > >>> I have tried it and it worked fine but the problem is override the > >>> default wildcard certificate and configure a different certificate, > >>> because it's not possible to configure the intermediate CA chain into > >>> the admin panel. I tried to configure the CA cert with the root CA > and > >>> the subordinate CA files and the router is ok but if I navigate the > >>> new route I received a security error. > > >> do you use reencrypted or passthrough route > > >> please can you show us the output of. > > >> oc get route -n your-project > >> oc describe route -n your-project your-route > > >> Best Regards > >> Aleks > > > >>> Marcello > > >>> On Thu, Oct 12, 2017 at 1:14 PM, Aleksandar Lazic < > al...@me2digital.eu> wrote: > > >>> > >>> Hi Marcello Lorenzi. > > >>> have you used -servername in s_client? > > >>> The ssl solution is based on sni ( > >>> https://en.wikipedia.org/wiki/Server_Name_Indication ) > > >>> Regards > >>> Aleks > > >>> on Donnerstag, 12. Oktober 2017 at 13:02 was written: > > > > >>> Hi All, > >>> thanks for the response and we checked the configuration. If I tried > >>> to check the certificated propagate with the passthrough > configuration > >>> with openssl s_client and the certificate provided is the wilcard > >>> domain certificate and not the pod itself. Is it normal? > > >>> Thanks, > >>> Marcello > > >>> On Thu, Oct 12, 2017 at 10:34 AM, Aleksandar Lazic < > al...@me2digital.eu> wrote: > > >>> Hi. > > >>> Additionally to joel suggestion can you also use reencrypted route > >>> if you want to talk encrypted with apache webserver. > > >>> https://docs.openshift.org/3.6/architecture/networking/ > routes.html#re-encryption-termination > > >>> Regards > >>> Aleks > > >>> on Mittwoch, 11. Oktober 2017 at 15:51 was written: > > > >>> Sorry I meant it say, it *cannot modify the http request in any way. > >>> On Thu, 12 Oct 2017 at 12:51 am, Joel Pearson > >>> <japear...@agiledigital.com.au> wrote: > > >>> Hi Marcelo, > > >>> If you use Passthrough termination then that means that OpenShift > >>> cannot add the X-Forwarded-For header, because as the name suggests > it > >>> is just passing the packets through and because it’s encrypted it can > >>> modify the http request in anyway. > > >>> If you want X-Forwarded-For you will need to switch to Edge > termination. > > >>> Thanks, > > >>> Joel > >>> On Thu, 12 Oct 2017 at 12:27 am, Marcello Lorenzi < > cell...@gmail.com> wrote: > > >>> Hi All, > >>> we tried to configure a route on Origin 3.6 with a Passthrough > >>> termination to an Apache webserver present into a single POD but we > >>> can't notice the X-Forwarded-Header to Apache logs. We tried to > capture it without success. > > >>> Could you confirm if there are some method to extract it from the > POD side? > > >>> Thanks, > >>> Marcello > >>> _______________________________________________ > >>> users mailing list > >>> users@lists.openshift.redhat.com > >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users-- > >>> Kind Regards, > > >>> Joel Pearson > >>> Agile Digital | Senior Software Consultant > > >>> Love Your Software™ | ABN 98 106 361 273 > >>> p: 1300 858 277 | m: 0405 417 843 | w: agiledigital.com.au-- > >>> Kind Regards, > > >>> Joel Pearson > >>> Agile Digital | Senior Software Consultant > > >>> Love Your Software™ | ABN 98 106 361 273 > >>> p: 1300 858 277 | m: 0405 417 843 | w: agiledigital.com.au > > > > > > -- > Best Regards > Aleks >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
