I had this problem while trying to do a single-master multimode install in Govcloud using my own ansible scripts. I solved the problem when I realized all the certificates, for masters and nodes, had to be created on the same server.
For those of us who don't use the openshift-ansible install scripts, because of the amount of work required to customize them to our needs, a few more hints in the documentation about how thinks work would be helpful. Thanks for a great tool. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Wednesday, August 02, 2017 12:00 PM To: [email protected] Subject: [Suspected Spam] users Digest, Vol 61, Issue 3 Send users mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://lists.openshift.redhat.com/openshiftmm/listinfo/users or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of users digest..." Today's Topics: 1. RE: Error: certificate signed by unknown authority (David VOGEL) (David VOGEL) 2. Re: I think such an addition to OpenShift might be useful ;) (Tomas Nozicka) ---------------------------------------------------------------------- Message: 1 Date: Tue, 1 Aug 2017 18:08:41 +0000 From: David VOGEL <[email protected]> To: "[email protected]" <[email protected]> Subject: RE: Error: certificate signed by unknown authority (David VOGEL) Message-ID: <7c72759c0f364023babc060713ac7...@cy1pr0601mb005.008f.mgd2.msft.net> Content-Type: text/plain; charset="us-ascii" Additional info: CA check on the node host: $ openssl verify -CAfile ca.crt server.crt server.crt: OK $ openssl verify -CAfile ca.crt master-client.crt master-client.crt: OK -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Tuesday, August 01, 2017 1:35 PM To: [email protected] Subject: users Digest, Vol 61, Issue 2 Send users mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://lists.openshift.redhat.com/openshiftmm/listinfo/users or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of users digest..." Today's Topics: 1. Question about router usage (Yu Wei) 2. Re: Question about router usage (Clayton Coleman) 3. Error: certificate signed by unknown authority (David VOGEL) ---------------------------------------------------------------------- Message: 1 Date: Tue, 1 Aug 2017 15:55:36 +0000 From: Yu Wei <[email protected]> To: "[email protected]" <[email protected]>, "[email protected]" <[email protected]> Subject: Question about router usage Message-ID: <hk2pr03mb0561c572135a722c1d6aef9db5...@hk2pr03mb0561.apcprd03.prod.outlook.com> Content-Type: text/plain; charset="gb2312" Hi guys, How could I expose services using TCP/UDP protocols to external clients? Could router be used? For example, I want to deploy redis cluster in openshift cluster. Redis cluster is using TCP protocol and listening on port 6379. Could I expose redis service port 6379 with router? If not, how could I expose the service to external clients? Could I use nodePort provided by k8s or other advice? Thanks, Jared, (??? Software developer Interested in open source software, big data, Linux -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openshift.redhat.com/openshift-archives/users/attachments/20170801/2dcacf5c/attachment.html> ------------------------------ Message: 2 Date: Tue, 1 Aug 2017 12:12:59 -0400 From: Clayton Coleman <[email protected]> To: Yu Wei <[email protected]> Cc: "[email protected]" <[email protected]>, "[email protected]" <[email protected]> Subject: Re: Question about router usage Message-ID: <-8830689192124930451@unknownmsgid> Content-Type: text/plain; charset="utf-8" https://docs.openshift.org/latest/dev_guide/getting_traffic_into_cluster.html#overview covers how to decide what to use. UDP will not be possible via the routers. On Aug 1, 2017, at 12:11 PM, Yu Wei <[email protected]> wrote: Hi guys, How could I expose services using TCP/UDP protocols to external clients? Could router be used? For example, I want to deploy redis cluster in openshift cluster. Redis cluster is using TCP protocol and listening on port 6379. Could I expose redis service port 6379 with router? If not, how could I expose the service to external clients? Could I use nodePort provided by k8s or other advice? Thanks, Jared, (??? Software developer Interested in open source software, big data, Linux _______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openshift.redhat.com/openshift-archives/users/attachments/20170801/72f8f40c/attachment.html> ------------------------------ Message: 3 Date: Tue, 1 Aug 2017 17:12:28 +0000 From: David VOGEL <[email protected]> To: "[email protected]" <[email protected]> Subject: Error: certificate signed by unknown authority Message-ID: <04ccebd0262f4f60aaa234fd07f82...@cy1pr0601mb005.008f.mgd2.msft.net> Content-Type: text/plain; charset="us-ascii" I get the following error when starting an Openshift Origin node: github.com/openshift/origin/pkg/cmd/server/kubernetes/node.go:267: Failed to list *api.Service: Get https://10.3.1.95:8443/api/v1/services resourceVersion=0: x509: certificate signed by unknown authority I don't know what I'm doing wrong. The master ip is 10.3.1.95 On the node here is the servingInfo section of node-config.yaml: servingInfo: bindAddress: 0.0.0.0:10250 bindNetwork: tcp4 certFile: server.crt clientCA: node-client-ca.crt keyFile: server.key namedCertificates: null here are the contents of openshift.local.config/node-ip-10-3-1-192.raytheon.com/ -rw-r--r--. 1 root root 1070 Jul 31 14:13 ca.crt -rw-r--r--. 1 root root 1143 Jul 31 14:13 master-client.crt -rw-------. 1 root root 1679 Jul 31 14:13 master-client.key -rw-r--r--. 1 root root 1070 Jul 31 14:13 node-client-ca.crt -rw-r--r--. 1 root root 1067 Jul 31 14:13 node-config.yaml -rw-rw-rw-. 1 root root 5762 Jul 31 14:13 node.kubeconfig -rw-r--r--. 1 root root 376 Jul 31 14:13 node-registration.json -rw-r--r--. 1 root root 2221 Jul 31 14:13 server.crt -rw-------. 1 root root 1675 Jul 31 14:13 server.key Here are the contents of openshift.local.config/master/ (copied from the contents of this directory on the master) -rw-r--r--. 1 root root 1070 Jul 31 14:13 ca.crt -rw-r--r--. 1 root root 1679 Jul 31 14:13 ca.key -rw-r--r--. 1 root root 2 Jul 31 14:13 ca.serial.txt Here is the oadm call, inside an Ansible script, used to configure the Openshift node: $ oadm create-node-config --node-dir={{ proj_home }}/server/openshift.local.config/{{ openshift_nodename }} \ --node={{ ansible_nodename }} \ --hostnames={{ ansible_nodename }},{{ ansible_default_ipv4.address }} \ --master="https://{{ openshift_master_ip }}:8443" \ --certificate-authority={{ proj_home }}/server/openshift.local.config/master/ca.crt \ --signer-cert={{ proj_home }}/server/openshift.local.config/master/ca.crt \ --signer-key={{ proj_home }}/server/openshift.local.config/master/ca.key \ --signer-serial={{ proj_home }}/server/openshift.local.config/master/ca.serial.txt \ --node-client-certificate-authority={{ proj_home }}/server/openshift.local.config/master/ca.crt NOTE: I rolled my own Ansible scripts to deploy Openshift Origin in AWS Govcloud. The Openshift Ansible script provided for advanced installation didn't work in Govcloud. -David Vogel -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.openshift.redhat.com/openshift-archives/users/attachments/20170801/4f3d7baf/attachment.html> ------------------------------ _______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users End of users Digest, Vol 61, Issue 2 ************************************ ------------------------------ Message: 2 Date: Wed, 02 Aug 2017 15:59:52 +0200 From: Tomas Nozicka <[email protected]> To: Aleksandar Lazic <[email protected]>, Hetz Ben Hamo <[email protected]> Cc: users <[email protected]> Subject: Re: I think such an addition to OpenShift might be useful ;) Message-ID: <[email protected]> Content-Type: text/plain; charset="UTF-8" There is also https://github.com/tnozicka/openshift-acme Regards, Tomas On Fri, 2017-07-07 at 09:13 +0200, Aleksandar Lazic wrote: > Hi Hetz Ben Hamo. > > on Freitag, 07. Juli 2017 at 00:48 was written: > > > https://arstechnica.com/information-technology/2017/07/lets-encrypt-t > o-start-offering-free-wildcard-certificates-for-https/ > > +1 > > -- > Best Regards > Aleks > _______________________________________________ > users mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/users ------------------------------ _______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users End of users Digest, Vol 61, Issue 3 ************************************ _______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
