Re: oc login fails if origin behind reverse proxy.

Mohamed Lrhazi Sun, 28 Feb 2016 12:52:34 -0800

No. I don't recall adding any exception or special config to my system...


➜  OpenShift curl  -v -XGET  -H "User-Agent: oc/v1.1.2 (darwin/amd64)
openshift/2711160" https://mgmt.os.gu.edu:443/
*   Trying 141.161.99.87...
* Connected to mgmt.os.gu.edu (141.161.99.87) port 443 (#0)
* TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate: mgmt.os.gu.edu
* Server certificate: Let's Encrypt Authority X1
* Server certificate: DST Root CA X3
> GET / HTTP/1.1
> Host: mgmt.os.gu.edu
> Accept: */*
> User-Agent: oc/v1.1.2 (darwin/amd64) openshift/2711160
>
< HTTP/1.1 200 OK
< Content-Type: application/json
< Date: Sun, 28 Feb 2016 20:47:35 GMT
< Content-Length: 204
<
{
  "paths": [
    "/api",
    "/api/v1",
    "/controllers",
    "/healthz",
    "/healthz/ping",
    "/healthz/ready",
    "/logs/",
    "/metrics",
    "/oapi",
    "/oapi/v1",
    "/swaggerapi/"
  ]
* Connection #0 to host mgmt.os.gu.edu left intact
}%



On Sun, Feb 28, 2016 at 3:45 PM, Jordan Liggitt <[email protected]> wrote:

> What does the curl call without -k show?
>
> Wondering if your system CA bundle is unhappy with the proxy cert. Did you
> have to add exceptions for your browsers?
>
>
>
> On Feb 28, 2016, at 3:38 PM, Mohamed Lrhazi <[email protected]>
> wrote:
>
> Very weird... looks like my own exact curl is behaving differently?
>
> On Sun, Feb 28, 2016 at 3:37 PM, Mohamed Lrhazi <
> [email protected]> wrote:
>
>> ➜  OpenShift oc login https://mgmt.os.gu.edu -u ml623  --loglevel=18
>> I0228 15:35:03.590599   30156 loader.go:241] Config loaded from file
>> /Users/mohamed/.kube/config
>> I0228 15:35:03.590934   30156 loader.go:241] Config loaded from file
>> /Users/mohamed/.kube/config
>> I0228 15:35:03.591206   30156 loader.go:241] Config loaded from file
>> /Users/mohamed/.kube/config
>> I0228 15:35:03.591431   30156 loader.go:241] Config loaded from file
>> /Users/mohamed/.kube/config
>> I0228 15:35:03.591598   30156 round_trippers.go:267] curl -k -v -XGET  -H
>> "User-Agent: oc/v1.1.2 (darwin/amd64) openshift/2711160"
>> https://mgmt.os.gu.edu:443/
>> I0228 15:35:03.829473   30156 round_trippers.go:286] GET
>> https://mgmt.os.gu.edu:443/  in 237 milliseconds
>> I0228 15:35:03.829507   30156 round_trippers.go:292] Response Headers:
>> I0228 15:35:03.829640   30156 helpers.go:159] Connection error: Get
>> https://mgmt.os.gu.edu:443/: read tcp 10.212.140.29:52838->
>> 141.161.99.87:443: read: connection reset by peer
>> F0228 15:35:03.829668   30156 helpers.go:99] Unable to connect to the
>> server: read tcp 10.212.140.29:52838->141.161.99.87:443: read:
>> connection reset by peer
>> ➜  OpenShift curl -k -v -XGET  -H "User-Agent: oc/v1.1.2 (darwin/amd64)
>> openshift/2711160" https://mgmt.os.gu.edu:443/
>> *   Trying 141.161.99.87...
>> * Connected to mgmt.os.gu.edu (141.161.99.87) port 443 (#0)
>> * TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
>> * Server certificate: mgmt.os.gu.edu
>> * Server certificate: Let's Encrypt Authority X1
>> * Server certificate: DST Root CA X3
>> > GET / HTTP/1.1
>> > Host: mgmt.os.gu.edu
>> > Accept: */*
>> > User-Agent: oc/v1.1.2 (darwin/amd64) openshift/2711160
>> >
>> < HTTP/1.1 200 OK
>> < Content-Type: application/json
>> < Date: Sun, 28 Feb 2016 20:36:58 GMT
>> < Content-Length: 204
>> <
>> {
>>   "paths": [
>>     "/api",
>>     "/api/v1",
>>     "/controllers",
>>     "/healthz",
>>     "/healthz/ping",
>>     "/healthz/ready",
>>     "/logs/",
>>     "/metrics",
>>     "/oapi",
>>     "/oapi/v1",
>>     "/swaggerapi/"
>>   ]
>> * Connection #0 to host mgmt.os.gu.edu left intact
>> }%
>>
>>                                                        ➜  OpenShift
>>
>>
>> On Sun, Feb 28, 2016 at 3:33 PM, Jordan Liggitt <[email protected]>
>> wrote:
>>
>>> What about a curl with the :443 port included?
>>>
>>> On Feb 28, 2016, at 3:28 PM, Mohamed Lrhazi <
>>> [email protected]> wrote:
>>>
>>> a GET curl request also works, instead of HEAD:
>>>
>>> ➜  curl  https://mgmt.os.gu.edu:443/ -i
>>> HTTP/1.1 200 OK
>>> Content-Type: application/json
>>> Date: Sun, 28 Feb 2016 20:27:13 GMT
>>> Content-Length: 204
>>>
>>> {
>>>   "paths": [
>>>     "/api",
>>>     "/api/v1",
>>>     "/controllers",
>>>     "/healthz",
>>>     "/healthz/ping",
>>>     "/healthz/ready",
>>>     "/logs/",
>>>     "/metrics",
>>>     "/oapi",
>>>     "/oapi/v1",
>>>     "/swaggerapi/"
>>>   ]
>>> }%
>>>
>>>
>>>
>>> On Sun, Feb 28, 2016 at 3:25 PM, Mohamed Lrhazi <
>>> [email protected]> wrote:
>>>
>>>> Thanks Jordan.. Here it is:
>>>>
>>>> ➜  oc login https://mgmt.os.gu.edu -u ml623  --loglevel=8
>>>> I0228 15:23:13.811505   30087 loader.go:241] Config loaded from file
>>>> /Users/mohamed/.kube/config
>>>> I0228 15:23:13.811805   30087 loader.go:241] Config loaded from file
>>>> /Users/mohamed/.kube/config
>>>> I0228 15:23:13.812061   30087 loader.go:241] Config loaded from file
>>>> /Users/mohamed/.kube/config
>>>> I0228 15:23:13.812267   30087 loader.go:241] Config loaded from file
>>>> /Users/mohamed/.kube/config
>>>> I0228 15:23:13.812414   30087 round_trippers.go:264] GET
>>>> https://mgmt.os.gu.edu:443/
>>>> I0228 15:23:13.812419   30087 round_trippers.go:271] Request Headers:
>>>> I0228 15:23:13.812422   30087 round_trippers.go:274]     User-Agent:
>>>> oc/v1.1.2 (darwin/amd64) openshift/2711160
>>>> I0228 15:23:13.959537   30087 round_trippers.go:289] Response Status:
>>>>  in 147 milliseconds
>>>> I0228 15:23:13.961454   30087 round_trippers.go:292] Response Headers:
>>>> I0228 15:23:13.961992   30087 helpers.go:159] Connection error: Get
>>>> https://mgmt.os.gu.edu:443/: read tcp 10.212.140.29:52561->
>>>> 141.161.99.87:443: read: connection reset by peer
>>>> F0228 15:23:13.962029   30087 helpers.go:99] Unable to connect to the
>>>> server: read tcp 10.212.140.29:52561->141.161.99.87:443: read:
>>>> connection reset by peer
>>>> ➜
>>>> ➜
>>>> ➜  curl -I https://mgmt.os.gu.edu:443/
>>>> HTTP/1.1 200 OK
>>>> Content-Type: application/json
>>>> Date: Sun, 28 Feb 2016 20:23:43 GMT
>>>> Content-Length: 204
>>>>
>>>> ➜
>>>>
>>>>
>>>> On Sun, Feb 28, 2016 at 3:06 PM, Jordan Liggitt <[email protected]>
>>>> wrote:
>>>>
>>>>> What do you see with --loglevel=8?
>>>>>
>>>>> On Feb 28, 2016, at 3:01 PM, Mohamed Lrhazi <
>>>>> [email protected]> wrote:
>>>>>
>>>>> Hello,
>>>>>
>>>>> My  oc on OS X, works if I point directly to the real IP/port of the
>>>>> origin server (port 8443)... but if I tried using a VIP which terminates
>>>>> SSL, the re-encrypts to the server on 8443.. I get this error:
>>>>>
>>>>>
>>>>> ➜  oc login https://mgmt.os.gu.edu -u ml623
>>>>> Unable to connect to the server: read tcp 10.212.140.29:51773->
>>>>> 141.161.99.87:443: read: connection reset by peer
>>>>> ➜
>>>>>
>>>>>
>>>>> What's odd is that with Chrome and Firefox, that URL works fine!
>>>>>
>>>>> How do I debug this further?
>>>>>
>>>>> Thanks a lot,
>>>>> Mohamed.
>>>>>
>>>>> _______________________________________________
>>>>> users mailing list
>>>>> [email protected]
>>>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>>>
>>>>>
>>>>
>>>
>>
>

_______________________________________________
users mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: oc login fails if origin behind reverse proxy.

Reply via email to