Thank you Tomas. I will try to separate urls and create a new entry for the public name, and attach the custom certificate first. This would be the most desirable case. Not sure how to do it at the moment though, still digging :)
On Fri, Apr 12, 2019, 17:09 Tomas Nozicka <tnozi...@redhat.com> wrote: > Hi, > > I haven't tried messing with that but the reason is that console is > served from apiserver. > > But depending on what you are trying to achive, you can wrap the > console (and apiserver) with a Route and get free http certificates > from Let's Encrypt like this: > > https://github.com/tnozicka/openshift-acme/issues/67#issuecomment-475314223 > https://github.com/tnozicka/openshift-acme#screencast > > Sure, if your router fails, for recovery, admin needs to use the > unwrapped apiserver endpoint but an admin can easily setup that CA as > trusted or ssh into the machine. > > Regards, > Tomas > > > On Fri, 2019-04-12 at 13:13 +0300, Leo David wrote: > > Hi Everyone, > > Running OKD 3.11, installed with ansible. I just need to use a > > custom self-signed certificate for the web console, and for some > > reason, I am not sure how to make the nodes trust this certificate > > too. > > I have changed the servingInfo section in /etc/origin/master/master- > > config.yaml as per the following ( with italic only the added lines > > ): > > > > servingInfo: > > bindAddress: 0.0.0.0:8443 > > bindNetwork: tcp4 > > certFile: master.server.crt > > clientCA: ca.crt > > keyFile: master.server.key > > maxRequestsInFlight: 500 > > requestTimeoutSeconds: 3600 > > namedCertificates: > > - certFile: domain.cert > > keyFile: domain.key > > names: > > - "lb.domain.internal" > > The certificate is generated and self signed for *.domain.internal. > > > > The problem is, that now the nodes do not trust this ceritificate: > > journalctl -fu origin-node > > Apr 12 10:01:04 os-compute-2.domain.internal origin-node[3602]: E0412 > > 10:01:04.292369 3602 reflector.go:136] > > k8s.io/kubernetes/pkg/kubelet/config/apiserver.go:47: Failed to list > > *v1.Pod: Get > > > https://lb.domain.internal:8443/api/v1/pods?fieldSelector=spec.nodeName%3Dos-compute-2.domain.internal&limit=500&resourceVersion=0 > > : x509: certificate signed by unknown authority > > Could anyone please advice me how to solve this ? > > I would avoid regenerating all the certificates using the playbooks, > > I would rather prefer doing it manually if possible. > > Thank you very much ! > > > > Leo > > > > > > > > > > _______________________________________________ > > users mailing list > > users@lists.openshift.redhat.com > > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > >
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
