Bug 1885343

Summary: Console doesn't load in iOS Safari when using self-signed certificates
Product: OpenShift Container Platform Reporter: Samuel Padgett <spadgett>
Component: Management ConsoleAssignee: Rastislav Wagner <rawagner>
Status: CLOSED ERRATA QA Contact: Yadan Pei <yapei>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.6CC: aos-bugs, jokerman, rawagner, yapei
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: iOS does not support connecting via secured Websocket with self-signed certificate Consequence: Console shows white screen Fix: If wss connection is not successful fallback to https Result: Console loads properly
 Story Points: ---
Clone Of: Environment:
Version: 4.6.0-0.nightly-2020-10-03-051134 Cluster ID: c7f3e0ae-f822-422d-bb6c-8ccb9b2cb318 Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Last Closed: 2021-02-24 15:23:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1885442    

Description Samuel Padgett 2020-10-05 16:31:58 UTC 
If iOS Safari does not trust the console certificate, it blocks WebSockets. This causes console to only show a white screen since we rely on WebSockets for API discovery using GraphQL.
Comment 2 Yadan Pei 2020-10-13 03:17:48 UTC 
=== Below are steps checked against 4.7.0-0.ci-2020-10-12-222453

1. Add self-signed certificate using below steps

Part I: Set a custom default certificate for ingress
1. Create a Secret resource containing the custom certificate in the openshift-ingress namespace using the generated apps.crt and apps.key files in Setup(refer to steps in Setup)
$ oc --namespace openshift-ingress create secret tls custom-certs-default --cert=/path/to/self-signed/apps.crt --key=/path/to/self-signed/apps.key
secret/custom-certs-default created
2. Update the IngressController CR to reference the new certificate secret:
$ oc patch --type=merge --namespace openshift-ingress-operator ingresscontrollers/default   --patch '{"spec":{"defaultCertificate":{"name":"custom-certs-default"}}}'
ingresscontroller.operator.openshift.io/default patched
3. Verify the update was effective:
$ oc get --namespace openshift-ingress-operator ingresscontrollers/default --output jsonpath='{.spec.defaultCertificate}'

Part II: Add your privately signed CA certificates as trustedCA
4. Create a ConfigMap with root CA pem
$ oc create configmap user-ca-bundle --from-file=ca-bundle.crt=/path/to/ca.pem -n openshift-config
5. Edit Proxy project spec.trustedCA to include your privately signed CA certificates
$ oc edit proxy cluster
.....
spec:
  trustedCA:
    name: user-ca-bundle
Part III: Wait until all ingress, console pods are restarted
Part IV: Verify new console is working correctly, I can verify that new console is using self-signed certificate by viewing certificate info in browser address bar with Chrome/FF/MacOS Safari

2. Then visit console route on iOS Safari, didn't trust the certificate and a blank page is returned
A dialog will be prompted:
Cannot Verify Server Identify
The identity of "console-openshift-console.apps.qe-xxxx.qe.devcluster.openshift.com" cannot be verified by Safari. Review the certificate details to continue

Click 'Continue'(didn't view Details and Trust), then a blank page is returned



Then I tried to visit a 46 cluster with default signing certificate, also didn't trust the certificate, a blank page is returned



@Rastislav Wagner

Could you help confirm my verification steps and let me know if there is anything wrong.
Comment 3 Rastislav Wagner 2020-10-20 07:30:58 UTC 
maybe the CI build does not contain the fix yet ?
Your steps looks good to me..

I went with this guide https://github.com/openshift/console#deploying-a-custom-image-to-an-openshift-cluster - deployed my own custom image based on latest master and iOS worked.
Comment 4 Yadan Pei 2020-10-21 09:46:15 UTC 
Moving to VERIFIED since iPhone6, 11 and iPad 6 works after following steps in comment 2 to specify custom certificate 

Verified on 4.7.0-0.nightly-2020-10-21-001511
Comment 7 errata-xmlrpc 2021-02-24 15:23:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633