On Tue, Mar 26, 2019, at 11:49 AM, Harald Dunkel wrote: > Hi folks, > > I am running okd 3.11 on Centos 7.6. The inventory file registers > 2 certificate chains (based upon a common, private CA), as described on > https://docs.openshift.com/container-platform/3.11/install_config/certificate_customization.html > > : > openshift_master_overwrite_named_certificates=true > openshift_master_named_certificates=[{"certfile": > "/work/okd01/ssl/okd01.cert.pem", "keyfile": > "/work/okd01/ssl/okd01.key.pem", "names": ["okd01.example.com"], > "cafile": "/work/okd01/ssl/ca.cert.pem" }] > openshift_hosted_router_certificate={"certfile": > "/work/okd01/ssl/star.okd01.cert.pem", "keyfile": > "/work/okd01/ssl/okd01.key.pem", "cafile": > "/work/okd01/ssl/ca.cert.pem" } > : >
Here's what worked for me: # Custom Certs: https://blog.openshift.com/lets-encrypt-acme-v2-api/ openshift_master_overwrite_named_certificates=true openshift_master_named_certificates=[{"certfile": "{{ inventory_dir }}/certs/archive/master.example.com/fullchain1.pem", "keyfile": "{{ inventory_dir }}/certs/archive/master.example.com/privkey1.pem", "names": ["master.example.com"], "cafile": "{{ inventory_dir }}/certs/archive/master.example.com/fullchain1.pem"}] openshift_hosted_router_certificate={"certfile": "{{ inventory_dir }}/certs/archive/master.example.com/fullchain1.pem", "keyfile": "{{ inventory_dir }}/certs/archive/master.example.com/privkey1.pem", "cafile": "{{ inventory_dir }}/certs/archive/master.example.com/fullchain1.pem"} I may have had to re-deploy OpenShift to make it take full effect, but I think it worked mostly fine with the redeploy-certificates.yml playbook. I don't know if it's supported to have the console/api domain as a subdomain of router wildcard domain? V/r, James Cassell > Problem is: I see all certificates in /etc/origin/master and > especially /etc/origin/master/named_certificates, but apparently > the web interface doesn't use it. openssl tells me: > > % openssl s_client -connect okd01.example.com:8443 > depth=1 CN = openshift-signer@1553169466 > verify error:num=19:self signed certificate in certificate chain > CONNECTED(00000003) > --- > Certificate chain > 0 s:/CN=172.19.96.96 > i:/CN=openshift-signer@1553169466 > 1 s:/CN=openshift-signer@1553169466 > i:/CN=openshift-signer@1553169466 > --- > : > : > > Please note the self signed certificates. For the cluster console > I see the expected certificates instead: > > % openssl s_client -connect console.okd01.example.com:443 > depth=2 C = DE, O = example AG, OU = example Certificate Authority, CN = > root-CA > verify return:1 > depth=1 C = DE, O = example AG, OU = example Certificate Authority, CN = > tls-CA > verify return:1 > depth=0 C = DE, O = example AG, CN = *.okd01.example.com > verify return:1 > CONNECTED(00000003) > --- > Certificate chain > 0 s:/C=DE/O=example AG/CN=*.okd01.example.com > i:/C=DE/O=example AG/OU=example Certificate Authority/CN=tls-CA > 1 s:/C=DE/O=example AG/OU=example Certificate Authority/CN=tls-CA > i:/C=DE/O=example AG/OU=example Certificate Authority/CN=root-CA > 2 s:/C=DE/O=example AG/OU=example Certificate Authority/CN=root-CA > i:/C=DE/O=example AG/OU=example Certificate Authority/CN=root-CA > --- > Server certificate > : > : > > How comes my named certificates have been lost/ignored? Are there > additional steps required I was too blind to see? > > > Every helpful comment is highly appreciated > Harri > > _______________________________________________ > users mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > _______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
