Hi Marcello. on Mittwoch, 18. Oktober 2017 at 10:32 was written:
> Hi Aleks, > I already configured the 4 values and if I miss the intermediate CA > into the destinationCACertificate field the Origin GUI shows to me a > warning related to the certificate. The export of the command is : Are there any errors in the router logs? oc logs -n dev-shared <POD> |egrep callcentergw > apiVersion: v1 > > kind: Route > > metadata: > > creationTimestamp: null > > name: callcentergw-dev-external > > spec: > > host: callcenter.fineco.it > > port: > > targetPort: 443-tcp > > tls: > > caCertificate: |- > > -----BEGIN CERTIFICATE----- > > …. > > -----END CERTIFICATE----- > > -----BEGIN CERTIFICATE----- > > … > > -----END CERTIFICATE----- > > certificate: |- > > -----BEGIN CERTIFICATE----- > > … > > -----END CERTIFICATE----- > > destinationCACertificate: |- > > -----BEGIN CERTIFICATE----- > > … > > -----END CERTIFICATE----- > > key: |- > > -----BEGIN RSA PRIVATE KEY----- > > … > > -----END RSA PRIVATE KEY----- > > termination: reencrypt > > to: > > kind: Service > > name: callcentergw-dev > > weight: 100 > > wildcardPolicy: None > > status: > > ingress: > > - conditions: > > - lastTransitionTime: 2017-10-18T07:54:22Z > > status: "True" > > type: Admitted > > host: callcenter.test.local > > routerName: router > > wildcardPolicy: None > The second command results are the same in insecure and passing the > cafile formed by intermediate + root CA certificates. > * About to connect() to callcenter.test.local port 443 (#0) > * Trying 192.168.10.10... > * Connected to callcenter.test.local (192.168.10.10) port 443 (#0) > * Initializing NSS with certpath: sql:/etc/pki/nssdb > * CAfile: /tmp/new-cac.crt > CApath: none > * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > * Server certificate: > * subject: > E=my.test.local,CN=callcenter.test.local,OU=test,O=Local=Milan,ST=Italy,C=IT > * start date: Mar 31 11:54:54 2016 GMT > * expire date: Mar 31 11:54:54 2018 GMT > * common name: callcenter.test.local > * issuer: CN=Local CA Subordinate,DC=milano,DC=test,DC=local,DC=it >> GET / HTTP/1.1 >> User-Agent: curl/7.29.0 >> Host: callcenter.test.local >> Accept: */* >> > < HTTP/1.1 302 Found > < Date: Wed, 18 Oct 2017 08:29:17 GMT > < Server: Apache/2.4.28 (Unix) OpenSSL/1.0.2k-fips > < Location: https://callcenter.test.local/home > < Content-Length: 228 > > < Content-Type: text/html; charset=iso-8859-1 > Marcello > On Tue, Oct 17, 2017 at 11:21 PM, Aleksandar Lazic <[email protected]> > wrote: > Hi Marcello. > on Dienstag, 17. Oktober 2017 at 09:11 was written: >> Hi, >> I'm using a re-encrypt configuration to preserve the x-forwrded-for >> information. The configuration is: >> >> Name: callcentergw-dev-external >> Namespace: dev-shared >> Created: 17 hours ago >> Labels: <none> >> Annotations: <none> >> Requested Host: callcenter.test.local >> exposed on router router 17 hours ago >> Path: <none> >> TLS Termination: reencrypt >> Insecure Policy: Redirect >> Endpoint Port: 443-tcp >> Service: callcentergw-dev >> Weight: 100 (100%) >> Endpoints: 10.131.0.138:443, 10.131.0.138:80 > I miss the destinationCACertificate maybe it's shown with export. > oc export route -n dev-shared callcentergw-dev-external > You can add in the GUI (=> Webinterface ) all four values under > "Security" settings. There is a section "Certificates" . > key: [as in edge termination] > certificate: [as in edge termination] > caCertificate: [as in edge termination] > destinationCACertificate: ... > Please can you also show us the output of > curl -vk callcenter.test.local >> Marcello > Best Regards > Aleks >> Il 16 Ott 2017 20:45, "Aleksandar Lazic" <[email protected]> ha scritto: >> Hi Marcello. >> on Montag, 16. Oktober 2017 at 15:23 was written: >>> Hi, >>> I have tried it and it worked fine but the problem is override the >>> default wildcard certificate and configure a different certificate, >>> because it's not possible to configure the intermediate CA chain into >>> the admin panel. I tried to configure the CA cert with the root CA and >>> the subordinate CA files and the router is ok but if I navigate the >>> new route I received a security error. >> do you use reencrypted or passthrough route >> please can you show us the output of. >> oc get route -n your-project >> oc describe route -n your-project your-route >> Best Regards >> Aleks >>> Marcello >>> On Thu, Oct 12, 2017 at 1:14 PM, Aleksandar Lazic <[email protected]> wrote: >>> >>> Hi Marcello Lorenzi. >>> have you used -servername in s_client? >>> The ssl solution is based on sni ( >>> https://en.wikipedia.org/wiki/Server_Name_Indication ) >>> Regards >>> Aleks >>> on Donnerstag, 12. Oktober 2017 at 13:02 was written: >>> Hi All, >>> thanks for the response and we checked the configuration. If I tried >>> to check the certificated propagate with the passthrough configuration >>> with openssl s_client and the certificate provided is the wilcard >>> domain certificate and not the pod itself. Is it normal? >>> Thanks, >>> Marcello >>> On Thu, Oct 12, 2017 at 10:34 AM, Aleksandar Lazic <[email protected]> wrote: >>> Hi. >>> Additionally to joel suggestion can you also use reencrypted route >>> if you want to talk encrypted with apache webserver. >>> https://docs.openshift.org/3.6/architecture/networking/routes.html#re-encryption-termination >>> Regards >>> Aleks >>> on Mittwoch, 11. Oktober 2017 at 15:51 was written: >>> Sorry I meant it say, it *cannot modify the http request in any way. >>> On Thu, 12 Oct 2017 at 12:51 am, Joel Pearson >>> <[email protected]> wrote: >>> Hi Marcelo, >>> If you use Passthrough termination then that means that OpenShift >>> cannot add the X-Forwarded-For header, because as the name suggests it >>> is just passing the packets through and because it’s encrypted it can >>> modify the http request in anyway. >>> If you want X-Forwarded-For you will need to switch to Edge termination. >>> Thanks, >>> Joel >>> On Thu, 12 Oct 2017 at 12:27 am, Marcello Lorenzi <[email protected]> wrote: >>> Hi All, >>> we tried to configure a route on Origin 3.6 with a Passthrough >>> termination to an Apache webserver present into a single POD but we >>> can't notice the X-Forwarded-Header to Apache logs. We tried to capture it without success. >>> Could you confirm if there are some method to extract it from the POD side? >>> Thanks, >>> Marcello >>> _______________________________________________ >>> users mailing list >>> [email protected] >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users-- >>> Kind Regards, >>> Joel Pearson >>> Agile Digital | Senior Software Consultant >>> Love Your Software™ | ABN 98 106 361 273 >>> p: 1300 858 277 | m: 0405 417 843 | w: agiledigital.com.au-- >>> Kind Regards, >>> Joel Pearson >>> Agile Digital | Senior Software Consultant >>> Love Your Software™ | ABN 98 106 361 273 >>> p: 1300 858 277 | m: 0405 417 843 | w: agiledigital.com.au -- Best Regards Aleks
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
