Bug 1310844 - generated certificate for google compute engine (gce) wrong
generated certificate for google compute engine (gce) wrong
Status: CLOSED INSUFFICIENT_DATA
Product: OpenShift Origin
Classification: Red Hat
Component: Installer (Show other bugs)
3.x
Unspecified Unspecified
unspecified Severity low
: ---
: ---
Assigned To: Jason DeTiberus
Ma xiaoqiang
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-22 14:03 EST by Aleksandar Kostadinov
Modified: 2016-07-03 20:46 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-02-23 05:37:34 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
ca.crt (1.04 KB, text/x-vhdl)
2016-02-22 14:03 EST, Aleksandar Kostadinov
no flags Details
server.crt (2.55 KB, text/x-vhdl)
2016-02-22 14:03 EST, Aleksandar Kostadinov
no flags Details
server.key (1.64 KB, text/x-vhdl)
2016-02-22 14:04 EST, Aleksandar Kostadinov
no flags Details

  None (edit)
Description Aleksandar Kostadinov 2016-02-22 14:03:14 EST
Created attachment 1129465 [details]
ca.crt

Description of problem:
The automatically generated certificate from openshift-ansibe playbook when installing on GCE is wrong. Firefox 44 and Chrome refuse to connect. Will attach the certificate files.

I suspect it is related to GCE using domain names containing only numbers, e.g. 245.36.148.146.bc.googleusercontent.com

I wonder if it's worth filing a firefox issue or if there's any place to report that to google.

I'm also wondering how to workaround for testing purposes. I may try using plain IP although that's ugly and SSH configuration not that nice.

Version-Release number of selected component (if applicable):
current latest

How reproducible:
always

error from browser:
245.36.148.146.bc.googleusercontent.com:8443 uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. (Error code: sec_error_unknown_issuer)
Comment 1 Aleksandar Kostadinov 2016-02-22 14:03 EST
Created attachment 1129466 [details]
server.crt
Comment 2 Aleksandar Kostadinov 2016-02-22 14:04 EST
Created attachment 1129467 [details]
server.key
Comment 3 Aleksandar Kostadinov 2016-02-22 15:04:51 EST
One detail, in inventory I used:

> 245.36.148.146.bc.googleusercontent.com openshift_public_hostname=245.36.148.146.bc.googleusercontent.com

That means specifying `openshift_public_hostname`.
Comment 4 Aleksandar Kostadinov 2016-02-22 16:08:23 EST
is there any option to disable invalid certificates so that the IPs and bad hostnames are not included in certificate?
Comment 5 Aleksandar Kostadinov 2016-02-23 00:15:07 EST
To clarify I don't see a way to create an accessible web console when there is no good DNS name for the environment console endpoint.
Comment 6 Aleksandar Kostadinov 2016-02-23 05:37:34 EST
Very strange, I cannot reproduce today. I only know that yesterday I used a hardcoded version while today I'm using "latest" but I can't tell what version was in use yesterday. Will reopen if I manage to reproduce with any relevant version.

Note You need to log in before you can comment on or make changes to this bug.