I had this problem while trying to do a single-master multimode install in 
Govcloud using my own ansible scripts. I solved the problem when I realized all 
the certificates, for masters and nodes, had to be created on the same server. 

For those of us who don't use the openshift-ansible install scripts, because of 
the amount of work required to customize them to our needs, a few more hints in 
the documentation about how thinks work would be helpful.

Thanks for a great tool.

-----Original Message-----
From: users-boun...@lists.openshift.redhat.com 
[mailto:users-boun...@lists.openshift.redhat.com] On Behalf Of 
users-requ...@lists.openshift.redhat.com
Sent: Wednesday, August 02, 2017 12:00 PM
To: users@lists.openshift.redhat.com
Subject: [Suspected Spam] users Digest, Vol 61, Issue 3

Send users mailing list submissions to
        users@lists.openshift.redhat.com

To subscribe or unsubscribe via the World Wide Web, visit
        http://lists.openshift.redhat.com/openshiftmm/listinfo/users
or, via email, send a message with subject or body 'help' to
        users-requ...@lists.openshift.redhat.com

You can reach the person managing the list at
        users-ow...@lists.openshift.redhat.com

When replying, please edit your Subject line so it is more specific than "Re: 
Contents of users digest..."


Today's Topics:

   1. RE: Error: certificate signed by unknown authority (David
      VOGEL) (David VOGEL)
   2. Re: I think such an addition to OpenShift might be useful ;)
      (Tomas Nozicka)


----------------------------------------------------------------------

Message: 1
Date: Tue, 1 Aug 2017 18:08:41 +0000
From: David VOGEL <david.vo...@raytheon.com>
To: "users@lists.openshift.redhat.com"
        <users@lists.openshift.redhat.com>
Subject: RE: Error: certificate signed by unknown authority (David
        VOGEL)
Message-ID:
        <7c72759c0f364023babc060713ac7...@cy1pr0601mb005.008f.mgd2.msft.net>
Content-Type: text/plain; charset="us-ascii"

Additional info: CA check on the node host:

$ openssl verify -CAfile ca.crt server.crt
server.crt: OK
$ openssl verify -CAfile ca.crt master-client.crt
master-client.crt: OK

-----Original Message-----
From: users-boun...@lists.openshift.redhat.com 
[mailto:users-boun...@lists.openshift.redhat.com] On Behalf Of 
users-requ...@lists.openshift.redhat.com
Sent: Tuesday, August 01, 2017 1:35 PM
To: users@lists.openshift.redhat.com
Subject: users Digest, Vol 61, Issue 2

Send users mailing list submissions to
        users@lists.openshift.redhat.com

To subscribe or unsubscribe via the World Wide Web, visit
        http://lists.openshift.redhat.com/openshiftmm/listinfo/users
or, via email, send a message with subject or body 'help' to
        users-requ...@lists.openshift.redhat.com

You can reach the person managing the list at
        users-ow...@lists.openshift.redhat.com

When replying, please edit your Subject line so it is more specific than "Re: 
Contents of users digest..."


Today's Topics:

   1. Question about router usage (Yu Wei)
   2. Re: Question about router usage (Clayton Coleman)
   3. Error: certificate signed by unknown authority (David VOGEL)


----------------------------------------------------------------------

Message: 1
Date: Tue, 1 Aug 2017 15:55:36 +0000
From: Yu Wei <yu20...@hotmail.com>
To: "users@lists.openshift.redhat.com"
        <users@lists.openshift.redhat.com>,     
"d...@lists.openshift.redhat.com"
        <d...@lists.openshift.redhat.com>
Subject: Question about router usage
Message-ID:
        
<hk2pr03mb0561c572135a722c1d6aef9db5...@hk2pr03mb0561.apcprd03.prod.outlook.com>
        
Content-Type: text/plain; charset="gb2312"

Hi guys,

How could I expose services using TCP/UDP protocols to external clients?

Could router be used?

For example, I want to deploy redis cluster in openshift cluster.

Redis cluster is using TCP protocol and listening on port 6379.

Could I expose redis service port 6379 with router?

If not, how could I expose the service to external clients?

Could I use nodePort provided by k8s or other advice?


Thanks,

Jared, (???
Software developer
Interested in open source software, big data, Linux
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
<http://lists.openshift.redhat.com/openshift-archives/users/attachments/20170801/2dcacf5c/attachment.html>

------------------------------

Message: 2
Date: Tue, 1 Aug 2017 12:12:59 -0400
From: Clayton Coleman <ccole...@redhat.com>
To: Yu Wei <yu20...@hotmail.com>
Cc: "users@lists.openshift.redhat.com"
        <users@lists.openshift.redhat.com>,     
"d...@lists.openshift.redhat.com"
        <d...@lists.openshift.redhat.com>
Subject: Re: Question about router usage
Message-ID: <-8830689192124930451@unknownmsgid>
Content-Type: text/plain; charset="utf-8"

https://docs.openshift.org/latest/dev_guide/getting_traffic_into_cluster.html#overview
covers
how to decide what to use.

UDP will not be possible via the routers.

On Aug 1, 2017, at 12:11 PM, Yu Wei <yu20...@hotmail.com> wrote:

Hi guys,

How could I expose services using TCP/UDP protocols to external clients?

Could router be used?

For example, I want to deploy redis cluster in openshift cluster.

Redis cluster is using TCP protocol and listening on port 6379.

Could I expose redis service port 6379 with router?

If not, how could I expose the service to external clients?

Could I use nodePort provided by k8s or other advice?


Thanks,

Jared, (???
Software developer
Interested in open source software, big data, Linux

_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
<http://lists.openshift.redhat.com/openshift-archives/users/attachments/20170801/72f8f40c/attachment.html>

------------------------------

Message: 3
Date: Tue, 1 Aug 2017 17:12:28 +0000
From: David VOGEL <david.vo...@raytheon.com>
To: "users@lists.openshift.redhat.com"
        <users@lists.openshift.redhat.com>
Subject: Error: certificate signed by unknown authority
Message-ID:
        <04ccebd0262f4f60aaa234fd07f82...@cy1pr0601mb005.008f.mgd2.msft.net>
Content-Type: text/plain; charset="us-ascii"

I get the following error when starting an Openshift Origin node:
github.com/openshift/origin/pkg/cmd/server/kubernetes/node.go:267: Failed to 
list *api.Service: Get https://10.3.1.95:8443/api/v1/services 
resourceVersion=0: x509: certificate signed by unknown authority

I don't know what I'm doing wrong.

The master ip is 10.3.1.95

On the node
   here is the servingInfo section of node-config.yaml:
servingInfo:
  bindAddress: 0.0.0.0:10250
  bindNetwork: tcp4
  certFile: server.crt
  clientCA: node-client-ca.crt
  keyFile: server.key
  namedCertificates: null

   here are the contents of 
openshift.local.config/node-ip-10-3-1-192.raytheon.com/
-rw-r--r--. 1 root root 1070 Jul 31 14:13 ca.crt -rw-r--r--. 1 root root 1143 
Jul 31 14:13 master-client.crt -rw-------. 1 root root 1679 Jul 31 14:13 
master-client.key -rw-r--r--. 1 root root 1070 Jul 31 14:13 node-client-ca.crt 
-rw-r--r--. 1 root root 1067 Jul 31 14:13 node-config.yaml -rw-rw-rw-. 1 root 
root 5762 Jul 31 14:13 node.kubeconfig -rw-r--r--. 1 root root  376 Jul 31 
14:13 node-registration.json -rw-r--r--. 1 root root 2221 Jul 31 14:13 
server.crt -rw-------. 1 root root 1675 Jul 31 14:13 server.key

   Here are the contents of openshift.local.config/master/   (copied from the 
contents of this directory on the master)
-rw-r--r--. 1 root root 1070 Jul 31 14:13 ca.crt -rw-r--r--. 1 root root 1679 
Jul 31 14:13 ca.key
-rw-r--r--. 1 root root    2 Jul 31 14:13 ca.serial.txt

Here is the oadm call, inside an Ansible script, used to configure the 
Openshift node:

$ oadm create-node-config --node-dir={{ proj_home 
}}/server/openshift.local.config/{{ openshift_nodename }} \
    --node={{ ansible_nodename }} \
    --hostnames={{ ansible_nodename }},{{ ansible_default_ipv4.address }} \
    --master="https://{{ openshift_master_ip }}:8443" \
    --certificate-authority={{ proj_home 
}}/server/openshift.local.config/master/ca.crt \
    --signer-cert={{ proj_home }}/server/openshift.local.config/master/ca.crt \
    --signer-key={{ proj_home }}/server/openshift.local.config/master/ca.key \
    --signer-serial={{ proj_home 
}}/server/openshift.local.config/master/ca.serial.txt \
    --node-client-certificate-authority={{ proj_home 
}}/server/openshift.local.config/master/ca.crt

NOTE: I rolled my own Ansible scripts to deploy Openshift Origin in AWS 
Govcloud. The Openshift Ansible script provided for advanced installation 
didn't work in Govcloud.

   -David Vogel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 
<http://lists.openshift.redhat.com/openshift-archives/users/attachments/20170801/4f3d7baf/attachment.html>

------------------------------

_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


End of users Digest, Vol 61, Issue 2
************************************



------------------------------

Message: 2
Date: Wed, 02 Aug 2017 15:59:52 +0200
From: Tomas Nozicka <tnozi...@redhat.com>
To: Aleksandar Lazic <al...@me2digital.eu>, Hetz Ben Hamo
        <h...@hetz.biz>
Cc: users <users@lists.openshift.redhat.com>
Subject: Re: I think such an addition to OpenShift might be useful ;)
Message-ID: <1501682392.22379.9.ca...@redhat.com>
Content-Type: text/plain; charset="UTF-8"

There is also https://github.com/tnozicka/openshift-acme

Regards,
Tomas

On Fri, 2017-07-07 at 09:13 +0200, Aleksandar Lazic wrote:
> Hi Hetz Ben Hamo.
> 
> on Freitag, 07. Juli 2017 at 00:48 was written:
> 
> 
> https://arstechnica.com/information-technology/2017/07/lets-encrypt-t
> o-start-offering-free-wildcard-certificates-for-https/
> 
> +1
> 
> --
> Best Regards
> Aleks
> _______________________________________________
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users



------------------------------

_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users


End of users Digest, Vol 61, Issue 3
************************************

_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Reply via email to