Hi Harri, as far as I can tell your inventory config looks ok. Is in the certificate "/work/okd01/ssl/okd01.cert.pem" the hostname/CN " okd01.example.com" listed? For example '*.okd01.example.com' wouldn't work. I remember having a similar issue... Did you get any warnings while running the redeploy_certificates playbook? Did you check the master API logs (run from master node with 'master-logs api api') is there a hint why the certs aren't delivered? Is in the /etc/origin/master/master-config.yaml (see namedCertificates) the correct certificate referenced? Did you used on purpose the same key for two different certificates?
Regards, Nikolas Am Di., 26. März 2019 um 17:21 Uhr schrieb James Cassell < fedoraproj...@cyberpear.com>: > On Tue, Mar 26, 2019, at 11:49 AM, Harald Dunkel wrote: > > Hi folks, > > > > I am running okd 3.11 on Centos 7.6. The inventory file registers > > 2 certificate chains (based upon a common, private CA), as described on > > > https://docs.openshift.com/container-platform/3.11/install_config/certificate_customization.html > > > > : > > openshift_master_overwrite_named_certificates=true > > openshift_master_named_certificates=[{"certfile": > > "/work/okd01/ssl/okd01.cert.pem", "keyfile": > > "/work/okd01/ssl/okd01.key.pem", "names": ["okd01.example.com"], > > "cafile": "/work/okd01/ssl/ca.cert.pem" }] > > openshift_hosted_router_certificate={"certfile": > > "/work/okd01/ssl/star.okd01.cert.pem", "keyfile": > > "/work/okd01/ssl/okd01.key.pem", "cafile": > > "/work/okd01/ssl/ca.cert.pem" } > > : > > > > Here's what worked for me: > > # Custom Certs: https://blog.openshift.com/lets-encrypt-acme-v2-api/ > openshift_master_overwrite_named_certificates=true > <https://blog.openshift.com/lets-encrypt-acme-v2-api/openshift_master_overwrite_named_certificates=true> > openshift_master_named_certificates=[{"certfile": "{{ inventory_dir > }}/certs/archive/master.example.com/fullchain1.pem", "keyfile": "{{ > inventory_dir }}/certs/archive/master.example.com/privkey1.pem", "names": > ["master.example.com"], "cafile": "{{ inventory_dir }}/certs/archive/ > master.example.com/fullchain1.pem"}] > openshift_hosted_router_certificate={"certfile": "{{ inventory_dir > }}/certs/archive/master.example.com/fullchain1.pem", "keyfile": "{{ > inventory_dir }}/certs/archive/master.example.com/privkey1.pem", > "cafile": "{{ inventory_dir }}/certs/archive/ > master.example.com/fullchain1.pem"} > > > I may have had to re-deploy OpenShift to make it take full effect, but I > think it worked mostly fine with the redeploy-certificates.yml playbook. > > I don't know if it's supported to have the console/api domain as a > subdomain of router wildcard domain? > > > V/r, > James Cassell > > > > > Problem is: I see all certificates in /etc/origin/master and > > especially /etc/origin/master/named_certificates, but apparently > > the web interface doesn't use it. openssl tells me: > > > > % openssl s_client -connect okd01.example.com:8443 > > depth=1 CN = openshift-signer@1553169466 > > verify error:num=19:self signed certificate in certificate chain > > CONNECTED(00000003) > > --- > > Certificate chain > > 0 s:/CN=172.19.96.96 > > i:/CN=openshift-signer@1553169466 > > 1 s:/CN=openshift-signer@1553169466 > > i:/CN=openshift-signer@1553169466 > > --- > > : > > : > > > > Please note the self signed certificates. For the cluster console > > I see the expected certificates instead: > > > > % openssl s_client -connect console.okd01.example.com:443 > > depth=2 C = DE, O = example AG, OU = example Certificate Authority, CN = > root-CA > > verify return:1 > > depth=1 C = DE, O = example AG, OU = example Certificate Authority, CN = > tls-CA > > verify return:1 > > depth=0 C = DE, O = example AG, CN = *.okd01.example.com > > verify return:1 > > CONNECTED(00000003) > > --- > > Certificate chain > > 0 s:/C=DE/O=example AG/CN=*.okd01.example.com > > i:/C=DE/O=example AG/OU=example Certificate Authority/CN=tls-CA > > 1 s:/C=DE/O=example AG/OU=example Certificate Authority/CN=tls-CA > > i:/C=DE/O=example AG/OU=example Certificate Authority/CN=root-CA > > 2 s:/C=DE/O=example AG/OU=example Certificate Authority/CN=root-CA > > i:/C=DE/O=example AG/OU=example Certificate Authority/CN=root-CA > > --- > > Server certificate > > : > > : > > > > How comes my named certificates have been lost/ignored? Are there > > additional steps required I was too blind to see? > > > > > > Every helpful comment is highly appreciated > > Harri > > > > _______________________________________________ > > users mailing list > > users@lists.openshift.redhat.com > > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > > > > _______________________________________________ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
