Re: namedCertificates not working

Srinivas Naga Kotaru (skotaru) Tue, 15 Nov 2016 15:59:27 -0800

Issue got fixed. Am using a SAN cert and included individual master names also 
in the cert. I also included these individual master names in the configuration 
under names:


names:
          - "mastervip"
          - "master1"
         - "master2"
          - "master3"

after removing individual master names issue got fixed. Now configuration has 
just public URL

able to see projects in the browser and CLI after authentication.

However CURL and OC clients sill throwing warning  and not trusting certificate

oc login https://masterpublicurl
 The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could 
be intercepted by others.
Use insecure connections? (y/n):

Any idea why? Althoght it is prod grade cert from well known CA.

--
Srinivas Kotaru

From: Srinivas Naga Kotaru <[email protected]>
Date: Tuesday, November 15, 2016 at 3:06 PM
To: Jordan Liggitt <[email protected]>
Cc: dev <[email protected]>
Subject: Re: namedCertificates not working

Nov 15 23:03:53 atomic-openshift-master-api[121472]: E1115 23:03:53.196173  
121472 reflector.go:203] 
github.com/openshift/origin/pkg/project/auth/cache.go:188: Failed to list 
*api.Namespace: Get https://<api_server> /api/v1/namespaces?resourceVersion=0: 
x509: certificate signed by unknown authority
Nov 15 23:03:53 atomic-openshift-master-api[121472]: I1115 23:03:53.204024  
121472 server.go:2161] http: TLS handshake error from 64.101.6.3:42824: remote 
error: bad certificate

Am wondering why this error sicne cert is fully valid. In fact, master console 
clearely showing green lock with right cert information.

--
Srinivas Kotaru

From: Jordan Liggitt <[email protected]>
Date: Tuesday, November 15, 2016 at 2:41 PM
To: Srinivas Naga Kotaru <[email protected]>
Cc: dev <[email protected]>
Subject: Re: namedCertificates not working

Are you seeing this from a system where you previously logged in to that URL 
using oc with the non-prod CA bundle? When configured to use a non-system-roots 
ca bundle, oc remembers it in the local user's kubeconfig file ($KUBECONFIG or 
~/.kube/config).

Try moving (or removing) the kubeconfig file and see if that allows oc to use 
the system roots to recognize the new certificates




On Nov 15, 2016, at 5:30 PM, Srinivas Naga Kotaru (skotaru) 
<[email protected]<mailto:[email protected]>> wrote:
Trying to deploy prod grade cert to our prod installation.   Browser showing 
green light but CLI clients showing cert errors.  OC client unable to display 
any projects. Do we need to use cafile in the config? I couldn’t find right 
syntax . I tried caFile but no use.

Although browser showing green light and showing correct cert info, unable to 
display any projects including default projects after authentication

We are using separate URL for public and internal OpenShift communication. 
Public URL is load balanced with 3 masters. LB was configured with SS 
pass-through to masters and masters doing actual SSL offload.

oc login https://<API<https://%3cAPI> VIP> 1 ↵
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could 
be intercepted by others.
Use insecure connections? (y/n):

oc project default                                                              
                                             1 ↵
Error from server: Get https://<api<https://%3capi> vip> 
/api/v1/namespaces/default: x509: certificate signed by unknown authority

assetConfig:
  logoutURL: ""
  masterPublicURL: https://apivip
  publicURL: https://apivip/console/
  servingInfo:
    bindAddress: 0.0.0.0:443<http://0.0.0.0:443>
    bindNetwork: tcp4
    certFile: master.server.crt
    clientCA: ""
    keyFile: master.server.key
    maxRequestsInFlight: 0
    requestTimeoutSeconds: 0
    namedCertificates:
      - certFile: /opt/cae/certs/master/cae.crt
        keyFile: /opt/cae/certs/master/cae.key
names:
          - "mastervip"
          - "master1"
         - "master2"
          - "master3"

servingInfo:
  bindAddress: 0.0.0.0:443<http://0.0.0.0:443>
  bindNetwork: tcp4
  certFile: master.server.crt
  clientCA: ca.crt
  keyFile: master.server.key
  maxRequestsInFlight: 500
  requestTimeoutSeconds: 3600
  namedCertificates:
    - certFile: /opt/cae/certs/master/cae.crt
      keyFile: /opt/cae/certs/master/cae.key
names:
          - "mastervip"
          - "master1"
         - "master2"
          - "master3"


--
Srinivas Kotaru
_______________________________________________
dev mailing list
[email protected]<mailto:[email protected]>
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

_______________________________________________
dev mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev

Re: namedCertificates not working

Reply via email to