If you put single quotes around it, the shell won't substitute the variable:
oadm ca create-server-cert --signer-cert=ca.crt \
--signer-key=ca.key --signer-serial=ca.serial.txt \
--hostnames='docker-registry.default.svc.cluster.local,$RESULT' \
--cert=registry.crt --key=registry.key
You probably want
oadm ca create-server-cert --signer-cert=ca.crt \
--signer-key=ca.key --signer-serial=ca.serial.txt \
--hostnames="docker-registry.default.svc.cluster.local,$RESULT" \
--cert=registry.crt --key=registry.key
On Wed, Feb 10, 2016 at 5:56 AM, Den Cowboy <[email protected]> wrote:
> Is it impossible to use an env-variable in this oadm command?
> I tried everything. But it always fails. When I fill it in manually it
> works:
>
> RESULT=$(oc get svc/docker-registry | awk '!/CLUSTER_IP/{print $2}')
>
> # create certificates
> cd /etc/origin/master/
>
> echo $RESULT
> --> shows IP
>
> echo "oadm ca create-server-cert --signer-cert=ca.crt \
> --signer-key=ca.key --signer-serial=ca.serial.txt \
> --hostnames='docker-registry.default.svc.cluster.local,$RESULT' \
> --cert=registry.crt --key=registry.key"
>
> --> shows right command
>
> oadm ca create-server-cert --signer-cert=ca.crt \
> --signer-key=ca.key --signer-serial=ca.serial.txt \
> --hostnames='docker-registry.default.svc.cluster.local,$RESULT' \
> --cert=registry.crt --key=registry.key
>
> --> Seems to fill in the IP --> error: bad certificate.
>
> oadm ca create-server-cert --signer-cert=ca.crt \
> --signer-key=ca.key --signer-serial=ca.serial.txt \
> --hostnames='docker-registry.default.svc.cluster.local,172.30.x.x' \
> --cert=registry.crt --key=registry.key
>
> --> works well
>
>
> ------------------------------
> From: [email protected]
> To: [email protected]
> Subject: RE: Securing registry failed: error bad certificate
> Date: Tue, 9 Feb 2016 13:26:33 +0000
> CC: [email protected]
>
>
> I think I found the answer. It's probably no OpenShift issue (so I want to
> apologize myself).
> I think it's because I'm executing the 'oamd' command as sudo (because
> otherwize I don't have permissions).
> But when I execute sudo the env-variable isn't known.
>
> But another question, related on this:
> What's the best way to execute those commands in openshift. Because the
> documentation is always using:
> '$' (so no root priviledges) But than I have no permission on some keys in
> my /etc/origin/master file.
> Do you execute a chmod on those files or how are you solving this?
>
> Thanks.
>
> ------------------------------
> From: [email protected]
> To: [email protected]
> Subject: RE: Securing registry failed: error bad certificate
> Date: Tue, 9 Feb 2016 13:01:58 +0000
> CC: [email protected]
>
> This is so weird. I really don't understand it:
> What I did now:
> 1) Run the first part of the script
> 2) execute the oadm ca create-server-cert command manually
> 3) Run the second part of the script
>
> This worked. I'm able to login in my secure registry.
>
> The sudo oadm ca create-server-cert can't handle environment variables or
> what's wrong with it?
>
> ------------------------------
> From: [email protected]
> To: [email protected]
> Subject: RE: Securing registry failed: error bad certificate
> Date: Tue, 9 Feb 2016 12:22:57 +0000
> CC: [email protected]
>
> Thanks for the fast response.
> Well, I performed this already manually and than the security was working.
> But now I wanted to script this.
> So I used:
>
> # get Cluster-IP
> RESULT=$(oc get svc/docker-registry | awk '!/CLUSTER_IP/{print $2}')
> --> echo $RESULT gave me the IP of the service
>
>
> sudo oadm ca create-server-cert --signer-cert=ca.crt \
> --signer-key=ca.key --signer-serial=ca.serial.txt \
> --hostnames='docker-registry.default.svc.cluster.local,$RESULT' \
> --cert=registry.crt --key=registry.key
>
> When I echo the command I really get the IP on the place of $RESULT.
>
>
>
> ------------------------------
> Date: Tue, 9 Feb 2016 07:13:45 -0500
> Subject: Re: Securing registry failed: error bad certificate
> From: [email protected]
> To: [email protected]
> CC: [email protected]
>
> It's saying the cert doesn't have the IP address of the registry listed as
> a subjectAltName. What command did you run to generate your cert?
>
> On Tuesday, February 9, 2016, Den Cowboy <[email protected]> wrote:
>
> I try to secure my registry but it fails:
> This are the logs after a push:
> I've checked the certificate: the ca.crt has the same content as the
> second part of my generated secret. So I don't know why this certificate is
> bad?
>
> I0209 11:54:53.887517 1 sti.go:315] Successfully built
> 172.30.221.132:5000/test2/test2:latest
> I0209 11:54:53.917560 1 cleanup.go:23] Removing temporary directory
> /tmp/s2i-build586685329
> I0209 11:54:53.917581 1 fs.go:117] Removing directory
> '/tmp/s2i-build586685329'
> I0209 11:54:53.919251 1 sti.go:214] Using provided push secret for pushing
> 172.30.221.132:5000/test2/test2:latest image
> I0209 11:54:53.919274 1 sti.go:218] Pushing
> 172.30.221.132:5000/test2/test2:latest image ...
> E0209 11:54:53.929640 1 dockerutil.go:78] push for image
> 172.30.221.132:5000/test2/test2:latest failed, will retry in 5s seconds
> ...
> E0209 11:54:58.939648 1 dockerutil.go:78] push for image
> 172.30.221.132:5000/test2/test2:latest failed, will retry in 5s seconds
> ...
> E0209 11:55:03.960704 1 dockerutil.go:78] push for image
> 172.30.221.132:5000/test2/test2:latest failed, will retry in 5s seconds
> ...
> E0209 11:55:08.967635 1 dockerutil.go:78] push for image
> 172.30.221.132:5000/test2/test2:latest failed, will retry in 5s seconds
> ...
> E0209 11:55:13.976535 1 dockerutil.go:78] push for image
> 172.30.221.132:5000/test2/test2:latest failed, will retry in 5s seconds
> ...
> E0209 11:55:18.986800 1 dockerutil.go:78] push for image
> 172.30.221.132:5000/test2/test2:latest failed, will retry in 5s seconds
> ...
> E0209 11:55:23.999629 1 dockerutil.go:78] push for image
> 172.30.221.132:5000/test2/test2:latest failed, will retry in 5s seconds
> ...
> I0209 11:55:28.999901 1 sti.go:223] Registry server Address:
> I0209 11:55:28.999950 1 sti.go:224] Registry server User Name:
> serviceaccount
> I0209 11:55:28.999970 1 sti.go:225] Registry server Email:
> [email protected]
> I0209 11:55:28.999989 1 sti.go:230] Registry server Password:
> <<non-empty>>
> F0209 11:55:29.000054 1 builder.go:185] Error: build error: Failed to push
> image. Response from registry is: unable to ping registry endpoint
> https://172.30.221.132:5000/v0/
> v2 ping attempt failed with error: Get https://172.30.221.132:5000/v2/:
> x509: cannot validate certificate for 172.30.221.132 because it doesn't
> contain any IP SANs
> v1 ping attempt failed with error: Get
> https://172.30.221.132:5000/v1/_ping: x509: cannot validate certificate
> for 172.30.221.132 because it doesn't contain any IP SANs
>
> This are the logs of the registry itself:
> time="2016-02-09T11:50:54.384124563Z" level=info msg="redis not
> configured" go.version=go1.4.2
> instance.id=0af8425a-7aef-44e4-9939-1105ac8d92fa
>
> time="2016-02-09T11:50:54.38411731Z" level=info msg="Starting upload purge
> in 6m0s" go.version=go1.4.2 instance.id=0af8425a-7aef-44e4-9939-1105ac8d92fa
>
> time="2016-02-09T11:50:54.384179893Z" level=info msg="using inmemory blob
> descriptor cache" go.version=go1.4.2
> instance.id=0af8425a-7aef-44e4-9939-1105ac8d92fa
>
> time="2016-02-09T11:50:54.384208064Z" level=info msg="Using Origin Auth
> handler"
> time="2016-02-09T11:50:54.38423117Z" level=debug msg="configured
> \"openshift\" access controller" go.version=go1.4.2
> instance.id=0af8425a-7aef-44e4-9939-1105ac8d92fa
>
> time="2016-02-09T11:50:54.384447261Z" level=info msg="listening on :5000,
> tls" go.version=go1.4.2 instance.id=0af8425a-7aef-44e4-9939-1105ac8d92fa
> 10.1.0.1 - - [09/Feb/2016:11:51:02 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:51:12 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:51:22 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:51:32 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:51:42 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:51:52 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:52:02 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:52:12 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:52:22 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:52:32 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:52:42 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:52:52 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:53:02 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:53:12 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:53:22 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:53:32 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:53:42 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:53:52 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:54:02 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:54:12 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:54:22 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:54:32 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:54:42 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:54:52 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 2016-02-09 11:54:53.939908 I | http: TLS handshake error from
> 10.1.1.1:59082: remote error: bad certificate
> 2016-02-09 11:54:53.949806 I | http: TLS handshake error from
> 10.1.1.1:59083: remote error: bad certificate
> 2016-02-09 11:54:53.951173 I | http: TLS handshake error from
> 10.1.1.1:59081: remote error: bad certificate
> 2016-02-09 11:54:58.948438 I | http: TLS handshake error from
> 10.1.1.1:59086: remote error: bad certificate
> 2016-02-09 11:54:58.957545 I | http: TLS handshake error from
> 10.1.1.1:59088: remote error: bad certificate
> 2016-02-09 11:54:58.961057 I | http: TLS handshake error from
> 10.1.1.1:59087: remote error: bad certificate
> 10.1.0.1 - - [09/Feb/2016:11:55:02 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 2016-02-09 11:55:03.963091 I | http: TLS handshake error from
> 10.1.1.1:59090: remote error: bad certificate
> 2016-02-09 11:55:03.963511 I | http: TLS handshake error from
> 10.1.1.1:59089: remote error: bad certificate
> 2016-02-09 11:55:03.972225 I | http: TLS handshake error from
> 10.1.1.1:59091: remote error: bad certificate
> 2016-02-09 11:55:08.979689 I | http: TLS handshake error from
> 10.1.1.1:59094: remote error: bad certificate
> 2016-02-09 11:55:08.985091 I | http: TLS handshake error from
> 10.1.1.1:59096: remote error: bad certificate
> 2016-02-09 11:55:08.992347 I | http: TLS handshake error from
> 10.1.1.1:59095: remote error: bad certificate
> 10.1.0.1 - - [09/Feb/2016:11:55:12 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 2016-02-09 11:55:13.987433 I | http: TLS handshake error from
> 10.1.1.1:59097: remote error: bad certificate
> 2016-02-09 11:55:13.993870 I | http: TLS handshake error from
> 10.1.1.1:59099: remote error: bad certificate
> 2016-02-09 11:55:13.999576 I | http: TLS handshake error from
> 10.1.1.1:59098: remote error: bad certificate
> 2016-02-09 11:55:18.995454 I | http: TLS handshake error from
> 10.1.1.1:59102: remote error: bad certificate
> 2016-02-09 11:55:19.004155 I | http: TLS handshake error from
> 10.1.1.1:59104: remote error: bad certificate
> 2016-02-09 11:55:19.007233 I | http: TLS handshake error from
> 10.1.1.1:59103: remote error: bad certificate
> 10.1.0.1 - - [09/Feb/2016:11:55:22 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 2016-02-09 11:55:24.017056 I | http: TLS handshake error from
> 10.1.1.1:59107: remote error: bad certificate
> 2016-02-09 11:55:24.019580 I | http: TLS handshake error from
> 10.1.1.1:59106: remote error: bad certificate
> 2016-02-09 11:55:24.019902 I | http: TLS handshake error from
> 10.1.1.1:59105: remote error: bad certificate
> 10.1.0.1 - - [09/Feb/2016:11:55:32 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:55:42 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:55:52 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:56:02 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:56:12 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:56:22 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:56:32 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:56:42 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:56:52 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> time="2016-02-09T11:56:54.384405174Z" level=info msg="PurgeUploads
> starting: olderThan=2016-02-02 11:56:54.384326249 +0000 UTC,
> actuallyDelete=true"
> time="2016-02-09T11:56:54.38543244Z" level=debug
> msg="filesystem.List(\"/docker/registry/v2/repositories\")"
> go.version=go1.4.2 instance.id=0af8425a-7aef-44e4-9939-1105ac8d92fa
> trace.duration=910.417µs trace.file="/go/src/
> github.com/openshift/origin/Godeps/_workspace/src/github.com/docker/distribution/registry/storage/driver/base/base.go"
> trace.func="
> github.com/docker/distribution/registry/storage/driver/base.(*Base).List
> <http://github.com/docker/distribution/registry/storage/driver/base.%28%2aBase%29.List>"
> trace.id=e8a053f5-3935-4133-acd3-998e2fc004b8 trace.line=154
> time="2016-02-09T11:56:54.385487781Z" level=info msg="Purge uploads
> finished. Num deleted=0, num errors=1"
> time="2016-02-09T11:56:54.385509417Z" level=info msg="Starting upload
> purge in 24h0m0s" go.version=go1.4.2
> instance.id=0af8425a-7aef-44e4-9939-1105ac8d92fa
>
> 10.1.0.1 - - [09/Feb/2016:11:57:02 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:57:12 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:57:22 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:57:32 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:57:42 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 2016-02-09 11:57:43.067255 I | http: TLS handshake error from
> 10.1.1.1:59142: remote error: bad certificate
> 2016-02-09 11:57:43.068824 I | http: TLS handshake error from
> 10.1.1.1:59140: remote error: bad certificate
> 2016-02-09 11:57:43.076552 I | http: TLS handshake error from
> 10.1.1.1:59141: remote error: bad certificate
> 2016-02-09 11:57:48.073338 I | http: TLS handshake error from
> 10.1.1.1:59146: remote error: bad certificate
> 2016-02-09 11:57:48.081751 I | http: TLS handshake error from
> 10.1.1.1:59145: remote error: bad certificate
> 2016-02-09 11:57:48.082256 I | http: TLS handshake error from
> 10.1.1.1:59147: remote error: bad certificate
> 10.1.0.1 - - [09/Feb/2016:11:57:52 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 2016-02-09 11:57:53.080354 I | http: TLS handshake error from
> 10.1.1.1:59148: remote error: bad certificate
> 2016-02-09 11:57:53.096420 I | http: TLS handshake error from
> 10.1.1.1:59149: remote error: bad certificate
> 2016-02-09 11:57:53.096597 I | http: TLS handshake error from
> 10.1.1.1:59150: remote error: bad certificate
> 2016-02-09 11:57:58.102439 I | http: TLS handshake error from
> 10.1.1.1:59154: remote error: bad certificate
> 2016-02-09 11:57:58.105124 I | http: TLS handshake error from
> 10.1.1.1:59153: remote error: bad certificate
> 2016-02-09 11:57:58.106115 I | http: TLS handshake error from
> 10.1.1.1:59155: remote error: bad certificate
> 10.1.0.1 - - [09/Feb/2016:11:58:02 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 2016-02-09 11:58:03.109765 I | http: TLS handshake error from
> 10.1.1.1:59156: remote error: bad certificate
> 2016-02-09 11:58:03.116820 I | http: TLS handshake error from
> 10.1.1.1:59158: remote error: bad certificate
> 2016-02-09 11:58:03.124064 I | http: TLS handshake error from
> 10.1.1.1:59157: remote error: bad certificate
> 2016-02-09 11:58:08.120395 I | http: TLS handshake error from
> 10.1.1.1:59162: remote error: bad certificate
> 2016-02-09 11:58:08.127914 I | http: TLS handshake error from
> 10.1.1.1:59163: remote error: bad certificate
> 2016-02-09 11:58:08.131500 I | http: TLS handshake error from
> 10.1.1.1:59161: remote error: bad certificate
> 10.1.0.1 - - [09/Feb/2016:11:58:12 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 2016-02-09 11:58:13.134620 I | http: TLS handshake error from
> 10.1.1.1:59165: remote error: bad certificate
> 2016-02-09 11:58:13.138467 I | http: TLS handshake error from
> 10.1.1.1:59164: remote error: bad certificate
> 2016-02-09 11:58:13.138939 I | http: TLS handshake error from
> 10.1.1.1:59166: remote error: bad certificate
> 10.1.0.1 - - [09/Feb/2016:11:58:22 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:58:32 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:58:42 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:58:52 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:59:02 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
> 10.1.0.1 - - [09/Feb/2016:11:59:12 +0000] "GET /healthz HTTP/1.1" 200 0 ""
> "Go 1.1 package http"
>
>
> _______________________________________________ users mailing list
> [email protected]
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
> _______________________________________________ users mailing list
> [email protected]
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
> _______________________________________________ users mailing list
> [email protected]
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
> _______________________________________________
> users mailing list
> [email protected]
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
>
_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
