Bug 1670282

Summary: Redux: The ca.crt created in pod by installer couldn't pass the SSL certificate verification
Product: OpenShift Container Platform Reporter: Rich Megginson <rmeggins>
Component: apiserver-authAssignee: Erica von Buelow <evb>
Status: CLOSED DUPLICATE QA Contact: Chuan Yu <chuyu>
Severity: high Docs Contact:
Priority: high    
Version: 4.1.0CC: aos-bugs, eparis, jialiu, jokerman, mmccomas, rmeggins, slaznick, xtian
Target Milestone: ---   
Target Release: 4.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1654558 Environment:
Last Closed: 2019-03-12 17:11:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1654558    
Bug Blocks: 1669368    

Comment 1 Rich Megginson 2019-01-29 07:20:02 UTC 
    The latest installer has regressed to the previous behavior:

    oc extract -n openshift-logging secret/kibana-token-vllhs --to=.

    openssl x509 -in ca.crt -text|more

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 2227887177059511823 (0x1eeb0b956c47ae0f)
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: OU = openshift, CN = root-ca
            Validity
                Not Before: Jan 28 10:17:01 2019 GMT
                Not After : Jan 25 10:17:02 2029 GMT
            Subject: OU = bootkube, CN = kube-ca

    The ca.crt contains only the intermediate cert and not the root CA.
Comment 2 Alex Crawford 2019-01-29 20:29:16 UTC 
Like #1654558, this doesn't seem like an installer issue. Whoever is creating that secret needs to include the root CA. I'm assigning this to the Logging component to dig in further.
Comment 3 Rich Megginson 2019-01-29 21:05:52 UTC 
(In reply to Alex Crawford from comment #2)
> Like #1654558, this doesn't seem like an installer issue. Whoever is
> creating that secret needs to include the root CA. I'm assigning this to the
> Logging component to dig in further.

Logging doesn't create the secret either - let's try the Security team.
Comment 5 Rich Megginson 2019-03-12 17:00:57 UTC 
I'm reassigning this to the Auth team, but I don't really know which is the team that generates and distributes certs for the cluster, and should be aware of the openssl issue
Comment 6 Standa Laznicka 2019-03-12 17:11:14 UTC 
Looks like a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1668534, reopen if it's still an issue, but I doubt that.

*** This bug has been marked as a duplicate of bug 1668534 ***