Hi Harald,
I've been struggling with this issue for couple of months now.
We have OpenShift deployed on AWS, an elastic load-balancer of type NLB
(network load balancer) is distributing the traffic over the three
master nodes. We have a firewall doing man-in-the-middle decryption on
the traffic going back and forth.
From the command line, curl works pretty much fine. But when using
openssl client, it shows the internal openshift certificates. I tried
the steps mentioned in this thread but none of them worked for me. We
have another OpenShift 3.10 cluster that we didn't face this issue with.
The only conclusion I have is when you hit the masters at tcp layer 4,
OpenShift responds with the default certificates. It's like the
named_certificates section works at layer 7 and hitting lower than that,
you get the default certificate.
On 4/1/19 3:13 AM, Harald Dunkel wrote:
Hi folks,
On 3/26/19 4:48 PM, Harald Dunkel wrote:
Problem is: I see all certificates in /etc/origin/master and
especially /etc/origin/master/named_certificates, but apparently
the web interface doesn't use it. openssl tells me:
% openssl s_client -connect okd01.example.com:8443
depth=1 CN = openshift-signer@1553169466
verify error:num=19:self signed certificate in certificate chain
CONNECTED(00000003)
---
Certificate chain
0 s:/CN=172.19.96.96
i:/CN=openshift-signer@1553169466
1 s:/CN=openshift-signer@1553169466
i:/CN=openshift-signer@1553169466
---
:
:
This seems to come up only, if the web browser runs in the same subnet
as the web interface. If the browser runs in another subnet (e.g. on
my laptop connected via IPsec), then I see the expected certificate
chain.
Every helpful comment is highly appreciated
Harri
_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
--
Regards,
Ahmed Ossama
_______________________________________________
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users
