Bug 1493276
Summary: | Setting servingInfo.clientCA to ca-bundle.crt can cause unwanted client cert popups in browser when hitting console | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Ryan Howe <rhowe> |
Component: | Installer | Assignee: | Andrew Butcher <abutcher> |
Status: | CLOSED ERRATA | QA Contact: | Gaoyun Pei <gpei> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 3.6.0 | CC: | aos-bugs, jiajliu, jliggitt, jokerman, mmccomas, sdodson |
Target Milestone: | --- | ||
Target Release: | 3.7.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-11-28 22:11:25 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ryan Howe
2017-09-19 19:27:00 UTC
*** Bug 1259029 has been marked as a duplicate of this bug. *** Jordan can you validate that not using the ca-bundle.crt which includes the nameCertificates CA is the correct thing to do here? Yes, just the internal CA should be set for client cert CA, not the full bundle populated for named certificates Commit pushed to master at https://github.com/openshift/openshift-ansible https://github.com/openshift/openshift-ansible/commit/60c770af09aaf5572b61d6d71ddda88db2dd7de2 Merge pull request #5698 from abutcher/servinginfo-client-ca Automatic merge from submit-queue. Bug 1493276: Setting servingInfo.clientCA to ca-bundle.crt can cause unwanted client cert popups in browser when hitting console https://bugzilla.redhat.com/show_bug.cgi?id=1493276 Verify this bug with openshift-ansible-3.7.0-0.148.0.git.0.b35eb14.el7.noarch For fresh install ocp-3.7 cluster, servingInfo.clientCA was set to ca.crt by default now. For old env which was using ca-bundle.crt as servingInfo.clientCA, after running /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-openshift-ca.yml playbook, it could be changed to ca.crt. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3188 |