Nov 15 23:03:53 atomic-openshift-master-api[121472]: E1115 23:03:53.196173 121472 reflector.go:203] github.com/openshift/origin/pkg/project/auth/cache.go:188: Failed to list *api.Namespace: Get https://<api_server> /api/v1/namespaces?resourceVersion=0: x509: certificate signed by unknown authority Nov 15 23:03:53 atomic-openshift-master-api[121472]: I1115 23:03:53.204024 121472 server.go:2161] http: TLS handshake error from 64.101.6.3:42824: remote error: bad certificate
Am wondering why this error sicne cert is fully valid. In fact, master console clearely showing green lock with right cert information. -- Srinivas Kotaru From: Jordan Liggitt <[email protected]> Date: Tuesday, November 15, 2016 at 2:41 PM To: Srinivas Naga Kotaru <[email protected]> Cc: dev <[email protected]> Subject: Re: namedCertificates not working Are you seeing this from a system where you previously logged in to that URL using oc with the non-prod CA bundle? When configured to use a non-system-roots ca bundle, oc remembers it in the local user's kubeconfig file ($KUBECONFIG or ~/.kube/config). Try moving (or removing) the kubeconfig file and see if that allows oc to use the system roots to recognize the new certificates On Nov 15, 2016, at 5:30 PM, Srinivas Naga Kotaru (skotaru) <[email protected]<mailto:[email protected]>> wrote: Trying to deploy prod grade cert to our prod installation. Browser showing green light but CLI clients showing cert errors. OC client unable to display any projects. Do we need to use cafile in the config? I couldn’t find right syntax . I tried caFile but no use. Although browser showing green light and showing correct cert info, unable to display any projects including default projects after authentication We are using separate URL for public and internal OpenShift communication. Public URL is load balanced with 3 masters. LB was configured with SS pass-through to masters and masters doing actual SSL offload. oc login https://<API<https://%3cAPI> VIP> 1 ↵ The server uses a certificate signed by an unknown authority. You can bypass the certificate check, but any data you send to the server could be intercepted by others. Use insecure connections? (y/n): oc project default 1 ↵ Error from server: Get https://<api<https://%3capi> vip> /api/v1/namespaces/default: x509: certificate signed by unknown authority assetConfig: logoutURL: "" masterPublicURL: https://apivip publicURL: https://apivip/console/ servingInfo: bindAddress: 0.0.0.0:443<http://0.0.0.0:443> bindNetwork: tcp4 certFile: master.server.crt clientCA: "" keyFile: master.server.key maxRequestsInFlight: 0 requestTimeoutSeconds: 0 namedCertificates: - certFile: /opt/cae/certs/master/cae.crt keyFile: /opt/cae/certs/master/cae.key names: - "mastervip" - "master1" - "master2" - "master3" servingInfo: bindAddress: 0.0.0.0:443<http://0.0.0.0:443> bindNetwork: tcp4 certFile: master.server.crt clientCA: ca.crt keyFile: master.server.key maxRequestsInFlight: 500 requestTimeoutSeconds: 3600 namedCertificates: - certFile: /opt/cae/certs/master/cae.crt keyFile: /opt/cae/certs/master/cae.key names: - "mastervip" - "master1" - "master2" - "master3" -- Srinivas Kotaru _______________________________________________ dev mailing list [email protected]<mailto:[email protected]> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
_______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
