It's hard to say what's wrong. The config you pasted earlier looks correct. I'd suggest turning on DEBUG logging for the auth logger to help troubleshoot.
https://github.com/openshift/origin-web-console#enable--disable-console-log-output https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_are_browser_developer_tools localStorage["OpenShiftLogLevel.auth"] = 'DEBUG'; Note: Don't attach the full output to the list since it might contain sensitive information. On Thu, May 17, 2018 at 10:25 AM, Dan Pungă <dan.pu...@gmail.com> wrote: > I'm using https://loadbalance.my.net:8443 to access the web console, yes. > > I'm really stuck with this one and it seems there isn't much discussion on > this topic, not even previous bugs of this sort that I can find. > I've tried different versions for the 2 configurations (the configMap and > the oauthclient file) with no result. > > > On 17.05.2018 16:46, Sam Padgett wrote: > > Can you make sure when you first visit the console (before logging in) you > use the public URL? One reason you'd see that error is if you visited > https://master1.my.net:8443/console/ first instead of the public URL. > > On Wed, May 16, 2018 at 7:34 PM, Dan Pungă <dan.pu...@gmail.com> wrote: > >> Thanks for the reply Sam! >> >> Unfortunately with this setup I get only the "invalid request" page that >> I've attached previously. But now the URL stays on >> loadbalance.my.net:8443/console: >> >> https://loadbalance.my.net:8443/console/error?error=invalid_ >> request&error_description=Client%20state%20could%20not% >> 20be%20verified&error_uri= >> >> The new configMap looks like this: >> >> apiVersion: v1 >> data: >> webconsole-config.yaml: | >> apiVersion: webconsole.config.openshift.io/v1 >> clusterInfo: >> consolePublicURL: https://loadbalance.my.net:8443/console/ >> loggingPublicURL: https://kibana.apps.my.net >> logoutPublicURL: '' >> masterPublicURL: https://loadbalance.my.net:8443 >> metricsPublicURL: https://hawkular-metrics.apps.my.net >> /hawkular/metrics >> extensions: >> properties: {} >> scriptURLs: [] >> stylesheetURLs: [] >> features: >> clusterResourceOverridesEnabled: false >> inactivityTimeoutMinutes: 0 >> kind: WebConsoleConfiguration >> servingInfo: >> bindAddress: 0.0.0.0:8443 >> bindNetwork: tcp4 >> certFile: /var/serving-cert/tls.crt >> clientCA: '' >> keyFile: /var/serving-cert/tls.key >> maxRequestsInFlight: 0 >> namedCertificates: null >> requestTimeoutSeconds: 0 >> kind: ConfigMap >> metadata: >> creationTimestamp: 2018-05-16T23:11:11Z >> name: webconsole-config >> namespace: openshift-web-console >> resourceVersion: "1187596" >> selfLink: /api/v1/namespaces/openshift-web-console/configmaps/webconso >> le-config >> uid: 6c33acdd-595e-11e8-8a63-fa163ed601cb >> >> The new oauthclient/openshift-web-console is now: >> >> apiVersion: v1 >> grantMethod: auto >> kind: OAuthClient >> metadata: >> creationTimestamp: 2018-05-16T23:20:11Z >> name: openshift-web-console >> resourceVersion: "1189032" >> selfLink: /oapi/v1/oauthclients/openshift-web-console >> uid: ae780fee-595f-11e8-8a63-fa163ed601cb >> redirectURIs: >> - https://loadbalance.my.net:8443/console >> - https://master1.my.net:8443/console >> - https://master2.my.net:8443/console >> >> Anything else I need to check maybe? >> >> >> On 17.05.2018 01:32, Sam Padgett wrote: >> >> I'd make these updates to the config map: >> >> consolePublicURL: https://loadbalance.my.net:8443/console/ >> masterPublicURL: https://loadbalance.my.net:8443 >> >> Then edit the OAuth client as cluster-admin to add the console public URL >> to the allowed callbacks. >> >> $ oc patch oauthclient/openshift-web-console -p '{"redirectURIs":[" >> https://loadbalance.my.net:8443/"]}' >> >> Editing the OAuth client should fix the invalid request error on login. >> >> Sam >> >> >> On Wed, May 16, 2018 at 6:03 PM, Dan Pungă <dan.pu...@gmail.com> wrote: >> >>> Hello all! >>> >>> I'm setting up a recently installed Openshift Origin v3.9 and I've >>> discovered a problem with the web-console. >>> The environment has 2 masters: master1 and master2 and a loadbalancer, >>> all installed via openshift-ansible. >>> I'm accessing the web-console UI with https://loadbalance.my.net:8443 >>> I've noticed some problems with the login form in the webconsole, where >>> I got some error about invalid request (attached image). On a second >>> attempt I can login succesfully. >>> >>> A second problem, maybe unrelated, is the content of the >>> webconsole-config configmap which has: >>> consolePublicURL: https://master1.my.net:8443/console/ >>> loggingPublicURL: https://.... >>> logoutPublicURL: '' >>> masterPublicURL: https://master1.my.net:8443 >>> >>> This looks like the configuration uses only the master1. I've tried >>> modifying the values for consolePublicURL and masterPublicURL to point to >>> loadbalance.my.net:8443, but after pod restart I get a json response >>> with invalid request and the console doesn't load. >>> I've checked the master-config.yaml on both masters and it "looks" fine >>> to me: >>> >>> masterPublicURL: https://master1.my.net:8443 >>> assetPublicURL: https://master1.my.net:8443/console/ >>> masterPublicURL: https://master1.my.net:8443 >>> masterURL: https://loadbalance.my.net:8443 >>> subdomain: my.net >>> >>> and the equivalent for master2. >>> >>> Also, I've read through the archives and I've checked the >>> oauthclient/openshift-web-console resource which is >>> >>> apiVersion: v1 >>> grantMethod: auto >>> kind: OAuthClient >>> metadata: >>> creationTimestamp: 2018-05-11T13:09:54Z >>> name: openshift-web-console >>> resourceVersion: "1123438" >>> selfLink: /oapi/v1/oauthclients/openshift-web-console >>> uid: 98c50270-551c-11e8-a51b-fa163ed601cb >>> redirectURIs: >>> - https://master1.my.net:8443/console/ >>> - https://master2.my.net:8443/console/ >>> >>> >>> Do you have any ideas about these 2 issues? Especially the second one. >>> >>> Thank you for any help in advance, >>> Dan Pungă >>> >>> >>> _______________________________________________ >>> users mailing list >>> users@lists.openshift.redhat.com >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users >>> >>> >> >> > >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
