Bug 1805091

Summary:	After replacing openshift-ingress certificate not able to access jenkins
Product:	OpenShift Container Platform	Reporter:	mmariyan
Component:	Jenkins	Assignee:	Vibhav Bobade <vbobade>
Status:	CLOSED DUPLICATE	QA Contact:	XiuJuan Wang <xiuwang>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	4.3.z	CC:	abenaiss, aos-bugs, pbhattac, vbobade
Target Milestone:	---
Target Release:	4.5.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-03-18 22:28:09 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description mmariyan 2020-02-20 08:44:22 UTC

Description of problem:

After the default router certificate replaced except jenkins UI can accesible all the routes like prometheus,console ..etc

The jenkins route succsfully redirect to oauth and when again redirect to jenkins we are getting error.


Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:

1) apply private ingress certificates ( **not publicly issued certs )  by following https://docs.openshift.com/container-platform/4.2/authentication/certificates/replacing-default-ingress-certificate.html

2) deploy jenkins or try to access already deployed jenkins.

result: Jenkins UI not accessible 

Actual results:

not able to access jenkins UI

Expected results:
it should accessible jenkins UI

Additional info:

Comment 2 Vibhav Bobade 2020-02-24 12:21:25 UTC

 Hello mmariyan,

Can you confirm that this bug is the same as https://bugzilla.redhat.com/show_bug.cgi?id=1804345
If so, we can mark this as a clone and track it in one single place.

Comment 3 Vibhav Bobade 2020-02-28 03:44:45 UTC

Hello mmariyan,

Currently Jenkins does not support customCA explicitly, but to make it easier I am working on a feature for the Login Plugin it should make things easier.
Please consider the blow as a workaround.

The new feature should be able to add the certificate directly to the default JVM TrustStore.

1> Get the default keyStore.

oc rsync jenkins-1-8zbx2:/etc/pki/java ./custom-java

2> Add certificate to keystore

sudo keytool -keystore ./custom-java/cacerts -import -alias custom-ingress -file ./example.crt

3> Create a ConfigMap from the custom keystore

oc create configmap jenkins-custom-keystore --from-file=./custom-java/cacerts

4> Edit DeploymentConfig for using the custom Keystore with the following changes.

spec:
  template:
    spec:
      containers:
      - env:
        - name: JAVA_TOOL_OPTIONS
          value: "-XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -Dsun.zip.disableMemoryMapping=true -Djavax.net.ssl.trustStore=/etc/pki/java/cacerts"
        volumeMounts: 
        - mountPath: /etc/pki/java/cacerts
          name: jenkins-custom-keystore
      volumes:
      - name: jenkins-custom-keystore
        configMap:
          name: jenkins-custom-keystore

Hope this helps,

Regards

Comment 4 Akram Ben Aissi 2020-03-18 22:28:09 UTC


*** This bug has been marked as a duplicate of bug 1804345 ***

Comment 5 Red Hat Bugzilla 2023-09-14 05:52:55 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days