Something seems odd to be about setting up a route (origin 3.9), i can create a route with re-encrypt if the cert is signed by a self signed CA, but the route doesn't work if the destination certificate is self signed and marked as a CA. For example this destination certificate does NOT work with the router:
-----BEGIN CERTIFICATE----- MIIDlTCCAn2gAwIBAgIGAWO2zOVIMA0GCSqGSIb3DQEBCwUAMG0xDDAKBgNVBAYT A2RldjEMMAoGA1UECBMDZGV2MQwwCgYDVQQHEwNkZXYxDDAKBgNVBAoTA2RldjEM MAoGA1UECxMDZGV2MSUwIwYDVQQDExx1bmlzb24tc2NhbGVqcy1yaC50cmVtb2xv LmlvMB4XDTE4MDUzMTAwMDAwMFoXDTI4MDUyODAwMDAwMFowbTEMMAoGA1UEBhMD ZGV2MQwwCgYDVQQIEwNkZXYxDDAKBgNVBAcTA2RldjEMMAoGA1UEChMDZGV2MQww CgYDVQQLEwNkZXYxJTAjBgNVBAMTHHVuaXNvbi1zY2FsZWpzLXJoLnRyZW1vbG8u aW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCSaec22QonMOU2a/0y QwOduMlCwQEPMu8E2b1sNAiL5K22i+3i7ozE+/r4AyMAKjvc2TRbObbMrHDnJBgV WigkaTeSLWQdRol4WlgeFtbYH+S/vWxSsm2dAPpt8wZpuENa6ptK9khPa8n0IhLG O31UPTEyEIXg/cg20x1+cRcdMCVWSD7F1m3Ia4wvUuH7g21fWCy1ljkbPPMDqI+b DnrLzsJjgmE8rKbw9dYm7irc3Rgd1zW4Rv/2Wg1JeDWJ3CrWCZPouC2qh1PWgUU2 sMs72cL9PPwHUnKHyBT7RwDXjEI0RjVPQ3jwdXnhaHel4npXP+ByYfaa0jGw4DxQ vHSTAgMBAAGjOzA5MA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgWgMBYG A1UdJQEB/wQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBCwUAA4IBAQANboUIllvD FRoBAOivn2N9BqRDS4c6JlPGZcApv0kr07+gjXziREh1+vUBUjBpCkX+oGWj2ZBe v714ewxI1Hyr5YG5i8aJEO32GANP+2yesSMLyPGIIKacBYhgctJiMZH+QtZBahqu jg87XXlIYwOGMAaelRjvJuqRFfkh5xYzCvHYxP26yOT9CqvEv5EsvCss13ZylIsb U1PX2Xu3FPu+LY2ayS+ZVPRL6J1GkIGO2LhWF00elVk1capS5c6i9Z/TbfjjN8SJ mYLEuOzeqjcbnxOZU6LzTECfU9SrFXTF3sh/iRqBWrJ69H1IJFpdLsT38a6N4+dZ yAIcbTIyOcaN -----END CERTIFICATE----- however, this cert does (and its corresponding CA): -----BEGIN CERTIFICATE----- MIIDHDCCAgSgAwIBAgIJANka1xITATPtMA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV BAMMB2t1YmUtY2EwHhcNMTgwNjAyMTkwMjM5WhcNMjgwNTMwMTkwMjM5WjBtMQww CgYDVQQGEwNkZXYxDDAKBgNVBAgTA2RldjEMMAoGA1UEBxMDZGV2MQwwCgYDVQQK EwNkZXYxDDAKBgNVBAsTA2RldjElMCMGA1UEAxMcdW5pc29uLXNjYWxlanMtcmgu dHJlbW9sby5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKRahgUI umjSD0Yz6Fw/k0DFDDnmlekYLkFGgYz+Z2yxWUVOJo9VLWx0RbkUknul1NB//cW4 lN8Wc7C9gfJJ7zI/v3C2L+N/3f2yp8xshmQzQB+xnjkZjuqXSgMIQWEUHnfaiM8C 1AmeQ07qFbssPnVzlBr7ukQMwU7StI64PDQ77HAT406lf7aVCvikMqKUf40LOaz3 GtWP6bnGPhvMgYytbCysUUP5osLmQeEokxXul77fTeEfBtKX0ITpnZi+daUkFwXi 5NvckN2dZA7wZ+Vat/tZzfTYycHlUF3eWW/9T8cjV0L0V2uT3hXBuXwNw1CXeLcZ Gf2/8HL/yoXP6VUCAwEAAaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJ KoZIhvcNAQELBQADggEBAGu1HvIcINGpyCBXhqgmlafSqh7Huodx4tyHgeu0NTmD kf8iU7PGiWjk5L9SUBWJO+rvycU5GQ/+yH/tp9xir0uBh1iXOOoth0vPnL5HQcZ4 VXPnmFylUYa3I5123OdCHuzVHlkD6bdiy6E/mT25XcwWpZL9wgjtE1RbDkLR7Gq/ KVUN2KMnX9Eiewm47wXTnDw62eVrzhrApIuqLsMbabOQ2uUeoelE9c0agR6RLTng 50rCfj3MpjpfSZDR/Y9XWKizVMR0sqj0rYw+Mg6XhOzK/c20km6O+Km69Zh1BsdX LyXGd0Lf/1nSf3jG+h29NUCq3yp7U9iyVyL5Q4nNE6U= -----END CERTIFICATE----- ca: -----BEGIN CERTIFICATE----- MIIC+jCCAeKgAwIBAgIJAIiduSOLKh22MA0GCSqGSIb3DQEBCwUAMBIxEDAOBgNV BAMMB2t1YmUtY2EwHhcNMTgwNjAyMTkwMDIyWhcNMjgwNTMwMTkwMDIyWjASMRAw DgYDVQQDDAdrdWJlLWNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA 48J8oKeAztHrL2Dk9o24TxrgX21uM6GcZKhdDPW7gMn9uYBYMsoaI7eZyYLxhxiV qG3WP1vgqpB00EbRdojoemdJ2os5rYz512BOlzNVjsgVE2Mgz/8cfV9pHWFp0dF9 C36ZjhUy7yvUyMf8+ekEFdE6fOOu+JImhfKDEHYzohXNITeTtgKpUh6Rw0ZNNRgq 6lVGYt8P6P0xbMHCYICKoJKmlViSVlqkB0R7L+TFOpuNajyibqszlizJGZXotym7 dLz9kIjPkksCl0jAERasacoFonJ8OtkR8G8rdlE+5hg7WAcy1C556mYsJ64ptLqW yoiOEQyjMkWXKMsaPX4rpwIDAQABo1MwUTAdBgNVHQ4EFgQUxCOIqR3LgiRT5GEy RhXgk84/wtowHwYDVR0jBBgwFoAUxCOIqR3LgiRT5GEyRhXgk84/wtowDwYDVR0T AQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAFfcxlzBIDQFwwIF92fXjIaQ1 jqpQRHUwKd2w7/EXyp3f9xQ1+IqlMkQu/Ip0pxZPB2WRWP1tL7o0EetOm6X29h12 be5yVovmx8DlaC0jTjwTDAOsSDHb4GlJv4pLjyDNmk/mtj3mW6UCYH4msWcIidYj 9d/neZnU4RftrtJzYZgcmpCK7xhdXqevoLo1X2b0gUlR/80DsEt37gBFAsp/EP/d 4yygBujWd3Q4d8nNzNVxkB7nXf2Wh0BrWadEKEsN8sukBNHZQ22KeI4YaBI92Mo3 n24wdO7Q3bOmaEHPpVXnZJZKmYy8JNji22WmUi/Z3KD+0880ea+QGh+VC/gZuw== -----END CERTIFICATE----- Now the first cert is marked as a CA, so it SHOULD work (and the same process generates certs that the golang clients in openshift and k8s both work with OK). Is there a requirement I'm missing? Thanks Marc
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
