Bug 1412799

Summary: HAProxy re-encrypt route returns 503 when certificate is expired
Product: OpenShift Container Platform Reporter: Sten Turpin <sten>
Component: RoutingAssignee: Ben Bennett <bbennett>
Status: CLOSED NOTABUG QA Contact: zhaozhanqi <zzhao>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.3.1CC: aos-bugs, bperkins, ramr, sten
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-30 19:24:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Sten Turpin 2017-01-12 20:03:48 UTC
Description of problem: When a re-encrypt route's destinationCAcertificate expires, the route returns 503s with no further explanation 

Version-Release number of selected component (if applicable):

How reproducible: always

Steps to Reproduce:
1. Create a re-encrypt route with an expired destinationCAcertificate

Actual results:
route returns 503 with no indication that the certificate is expired

Expected results:
the user should be notified that their certificate is expired 

Additional info:

Comment 1 Ben Bennett 2017-01-13 15:06:13 UTC
Is there anything in the router pod log?

Ram, do the extended validation changes we are backporting fix this?

Comment 2 Ram Ranganathan 2017-01-23 19:05:06 UTC
Depends on where the error is coming from. @Sten, what does
$ oc get route <route-name> -o yaml 

Does it say something like extended validation failed for the certificate. 
If that's the case, @Ben then this is fixed with the backports for the extended validation changes to 3.2 and 3.3

Otherwise, its something else we need to look at. Thx

Comment 3 Ben Bennett 2017-01-30 19:24:21 UTC
Closing due to inactivity.  If it is still happening, please re-open and provide the requested information.

Comment 4 Sten Turpin 2017-09-14 15:43:32 UTC
We haven't seen this issue since ~3.3