Bug 1332273

Summary: self-signed TLS certificates for edge terminated routes
Product: OpenShift Online Reporter: Colin Walters <walters>
Component: RoutingAssignee: Abhishek Gupta <abhgupta>
Status: CLOSED CURRENTRELEASE QA Contact: zhaozhanqi <zzhao>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.xCC: aos-bugs, dakini
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-23 17:32:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Colin Walters 2016-05-02 18:37:19 UTC 
I started an instance of hello-openshift:

https://hello-openshift-stage.1ec1.dev-preview-int.openshiftapps.com/

The router appears to use self-signed certs by default though, which not only causes annoying warnings for human web browser users, it precludes https:// use by automated services (e.g. github webhooks).
Comment 1 Ben Bennett 2016-05-03 15:28:31 UTC 
You will need to set up your keys on your routes:
  https://docs.openshift.com/enterprise/3.1/dev_guide/routes.html

Or set up a wildcard cert for the default routing subdomain:
  https://docs.openshift.com/enterprise/3.1/install_config/install/deploy_router.html#using-wildcard-certificates
Comment 2 Colin Walters 2016-05-03 17:12:27 UTC 
I'm aware I could bring my own keys, but I'd expect Online v3 to offer this by default.

OpenShift v2 currently uses a wildcard *.rhcloud.com certificate from Digicert.

Right?
Comment 3 Ben Bennett 2016-05-03 17:44:01 UTC 
Oh! Online... sorry, completely missed that part.  Apologies.

Yeah, I assume they will issue a cert.  I'll reopen this.
Comment 4 Ben Bennett 2016-05-24 13:53:31 UTC 
Reassigning to Abhishek because this needs to be dispatched to whomever will get the Online SSL wildcard cert (if SSL will even be supported).
Comment 5 Stefanie Forrester 2016-05-24 20:07:03 UTC 
Tested SSL certs using utility below:

https://www.digicert.com/help/?host=test.1ec1.dev-preview-int.openshiftapps.com
https://www.digicert.com/help/?host=test.b795.dev-preview-stg.openshiftapps.com
https://www.digicert.com/help/?host=test.44fs.preview.openshiftapps.com


INT/STG/Prod pass.
Comment 6 Abhishek Gupta 2016-05-27 17:30:06 UTC 
Moving to ON_QA based on comment above by Stefanie.
Comment 7 zhaozhanqi 2016-05-31 08:32:07 UTC 
QE verified this bug on INT/STG.