Description of problem: I tried to add letsencrypt certificate to openshift. I uploaded cert.pem + chain.pem + priv.pem and I got https working, but with B rating and chain incomplete message. When I used only fullchain.pem + priv.pem https worked and I got A record - chain was complete. More info can be found here - https://community.letsencrypt.org/t/this-servers-certificate-chain-is-incomplete-grade-capped-to-b-openshift/3665 Version-Release number of selected component (if applicable): Openshift v2 How reproducible: Apply letsencrypt certificate to openshift v2 using cert.pem + chain.pem + priv.pem Actual results: B rating and chain incomplete Expected results: A rating and chain complete Additional info:
It is possible that the problem lies in the normalization of encoding, whitespace, etc. that the management console performs when one uploads certificates. Do you see the same problem when you use the rhc command-line tool instead of the Web-based management console to upload the certificates? Here is documentation on installing the rhc client tool: https://developers.openshift.com/en/managing-client-tools.html Here is documentation on uploading certificates using rhc: https://developers.openshift.com/en/managing-domains-ssl.html#_command_line_rhc If you can answer the above question, that will help us narrow down whether the problem is in the management console, our httpd configuration, or possibly somewhere else. Thanks!
Hi, I am missing chain parameter in rhc: rhc alias update-cert <application_name> <domain_name> --certificate <cert_file> --private-key <key_file>
I believe one fix will solve this + 2 other current bzs: https://bugzilla.redhat.com/show_bug.cgi?id=1269637 https://bugzilla.redhat.com/show_bug.cgi?id=1268317 Solution could be to remove the 'SSL Certificate Chain' field in the web console, and to document clearly that cert + chain should be concatenated manually (cert 1st, then chain) and uploaded in the 'SSL Certificate*' field as a 'fullchainfile.pem' OR user should upload the 'fullchain.pem' if SSL cert provider automatically concatenates the cert + chain (letsencrypt does). This solution makes sense, especially since there is no 'SSL Certificate Chain' upload option in the rhc tool. The rhc tool options should match the web console options, correct?
Checked with devenv_5760, and the Cert Chain Field has been removed. And has prompted customers to upload a cert that put primary and intermediate certificates into a single file.
We apologize, however, we do not plan to address this report at this time. The majority of our active development is for the v3 version of OpenShift. If you would like for Red Hat to reconsider this decision, please reach out to your support representative. We are very sorry for any inconvenience this may cause.