What does `curl -vvv https://<masterpublicurl>` show? On Tue, Nov 15, 2016 at 6:56 PM, Srinivas Naga Kotaru (skotaru) < [email protected]> wrote:
> Issue got fixed. Am using a SAN cert and included individual master names > also in the cert. I also included these individual master names in the > configuration under names: > > > > names: > > - "mastervip" > > - "master1" > > - "master2" > > - "master3" > > > > after removing individual master names issue got fixed. Now configuration > has just public URL > > > > able to see projects in the browser and CLI after authentication. > > > > However CURL and OC clients sill throwing warning and not trusting > certificate > > > > oc login https://masterpublicurl > > The server uses a certificate signed by an unknown authority. > > You can bypass the certificate check, but any data you send to the server > could be intercepted by others. > > Use insecure connections? (y/n): > > > > Any idea why? Althoght it is prod grade cert from well known CA. > > > > -- > > *Srinivas Kotaru* > > > > *From: *Srinivas Naga Kotaru <[email protected]> > *Date: *Tuesday, November 15, 2016 at 3:06 PM > *To: *Jordan Liggitt <[email protected]> > > *Cc: *dev <[email protected]> > *Subject: *Re: namedCertificates not working > > > > Nov 15 23:03:53 atomic-openshift-master-api[121472]: E1115 > 23:03:53.196173 121472 reflector.go:203] github.com/openshift/origin/ > pkg/project/auth/cache.go:188: Failed to list *api.Namespace: Get > https://<api_server> > /api/v1/namespaces?resourceVersion=0: x509: certificate signed by unknown > authority > > Nov 15 23:03:53 atomic-openshift-master-api[121472]: I1115 > 23:03:53.204024 121472 server.go:2161] http: TLS handshake error from > 64.101.6.3:42824: remote error: bad certificate > > > > Am wondering why this error sicne cert is fully valid. In fact, master > console clearely showing green lock with right cert information. > > > > -- > > *Srinivas Kotaru* > > > > *From: *Jordan Liggitt <[email protected]> > *Date: *Tuesday, November 15, 2016 at 2:41 PM > *To: *Srinivas Naga Kotaru <[email protected]> > *Cc: *dev <[email protected]> > *Subject: *Re: namedCertificates not working > > > > Are you seeing this from a system where you previously logged in to that > URL using oc with the non-prod CA bundle? When configured to use a > non-system-roots ca bundle, oc remembers it in the local user's kubeconfig > file ($KUBECONFIG or ~/.kube/config). > > > > Try moving (or removing) the kubeconfig file and see if that allows oc to > use the system roots to recognize the new certificates > > > > > > > > > On Nov 15, 2016, at 5:30 PM, Srinivas Naga Kotaru (skotaru) < > [email protected]> wrote: > > Trying to deploy prod grade cert to our prod installation. Browser > showing green light but CLI clients showing cert errors. OC client unable > to display any projects. Do we need to use cafile in the config? I couldn’t > find right syntax . I tried caFile but no use. > > > > Although browser showing green light and showing correct cert info, unable > to display any projects including default projects after authentication > > > > We are using separate URL for public and internal OpenShift communication. > Public URL is load balanced with 3 masters. LB was configured with SS > pass-through to masters and masters doing actual SSL offload. > > > > oc login https://<API VIP> 1 ↵ > > The server uses a certificate signed by an unknown authority. > > You can bypass the certificate check, but any data you send to the server > could be intercepted by others. > > Use insecure connections? (y/n): > > > > oc project default > 1 ↵ > > Error from server: Get https://<api vip> /api/v1/namespaces/default: > x509: certificate signed by unknown authority > > > > assetConfig: > > logoutURL: "" > > masterPublicURL: https://apivip > > publicURL: https://apivip/console/ > > servingInfo: > > bindAddress: 0.0.0.0:443 > > bindNetwork: tcp4 > > certFile: master.server.crt > > clientCA: "" > > keyFile: master.server.key > > maxRequestsInFlight: 0 > > requestTimeoutSeconds: 0 > > namedCertificates: > > - certFile: /opt/cae/certs/master/cae.crt > > keyFile: /opt/cae/certs/master/cae.key > > names: > > - "mastervip" > > - "master1" > > - "master2" > > - "master3" > > > > servingInfo: > > bindAddress: 0.0.0.0:443 > > bindNetwork: tcp4 > > certFile: master.server.crt > > clientCA: ca.crt > > keyFile: master.server.key > > maxRequestsInFlight: 500 > > requestTimeoutSeconds: 3600 > > namedCertificates: > > - certFile: /opt/cae/certs/master/cae.crt > > keyFile: /opt/cae/certs/master/cae.key > > names: > > - "mastervip" > > - "master1" > > - "master2" > > - "master3" > > > > > > -- > > *Srinivas Kotaru* > > _______________________________________________ > dev mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev > >
_______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
