I've managed to sort it out, once I have replaced the masterPublicURL with the new dns name it worked. Thank you !
On Fri, Apr 12, 2019, 17:17 Leo David <[email protected]> wrote: > Thank you Tomas. I will try to separate urls and create a new entry for > the public name, and attach the custom certificate first. This would be the > most desirable case. > Not sure how to do it at the moment though, still digging :) > > On Fri, Apr 12, 2019, 17:09 Tomas Nozicka <[email protected]> wrote: > >> Hi, >> >> I haven't tried messing with that but the reason is that console is >> served from apiserver. >> >> But depending on what you are trying to achive, you can wrap the >> console (and apiserver) with a Route and get free http certificates >> from Let's Encrypt like this: >> >> >> https://github.com/tnozicka/openshift-acme/issues/67#issuecomment-475314223 >> https://github.com/tnozicka/openshift-acme#screencast >> >> Sure, if your router fails, for recovery, admin needs to use the >> unwrapped apiserver endpoint but an admin can easily setup that CA as >> trusted or ssh into the machine. >> >> Regards, >> Tomas >> >> >> On Fri, 2019-04-12 at 13:13 +0300, Leo David wrote: >> > Hi Everyone, >> > Running OKD 3.11, installed with ansible. I just need to use a >> > custom self-signed certificate for the web console, and for some >> > reason, I am not sure how to make the nodes trust this certificate >> > too. >> > I have changed the servingInfo section in /etc/origin/master/master- >> > config.yaml as per the following ( with italic only the added lines >> > ): >> > >> > servingInfo: >> > bindAddress: 0.0.0.0:8443 >> > bindNetwork: tcp4 >> > certFile: master.server.crt >> > clientCA: ca.crt >> > keyFile: master.server.key >> > maxRequestsInFlight: 500 >> > requestTimeoutSeconds: 3600 >> > namedCertificates: >> > - certFile: domain.cert >> > keyFile: domain.key >> > names: >> > - "lb.domain.internal" >> > The certificate is generated and self signed for *.domain.internal. >> > >> > The problem is, that now the nodes do not trust this ceritificate: >> > journalctl -fu origin-node >> > Apr 12 10:01:04 os-compute-2.domain.internal origin-node[3602]: E0412 >> > 10:01:04.292369 3602 reflector.go:136] >> > k8s.io/kubernetes/pkg/kubelet/config/apiserver.go:47: Failed to list >> > *v1.Pod: Get >> > >> https://lb.domain.internal:8443/api/v1/pods?fieldSelector=spec.nodeName%3Dos-compute-2.domain.internal&limit=500&resourceVersion=0 >> > : x509: certificate signed by unknown authority >> > Could anyone please advice me how to solve this ? >> > I would avoid regenerating all the certificates using the playbooks, >> > I would rather prefer doing it manually if possible. >> > Thank you very much ! >> > >> > Leo >> > >> > >> > >> > >> > _______________________________________________ >> > users mailing list >> > [email protected] >> > http://lists.openshift.redhat.com/openshiftmm/listinfo/users >> >>
_______________________________________________ users mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/users
