1310844 – generated certificate for google compute engine (gce) wrong

Bug 1310844 - generated certificate for google compute engine (gce) wrong

Summary: generated certificate for google compute engine (gce) wrong

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	OKD
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	3.x
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	low
Target Milestone:	---
Target Release:	---
Assignee:	Jason DeTiberus
QA Contact:	Ma xiaoqiang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-22 19:03 UTC by Aleksandar Kostadinov
Modified:	2016-07-04 00:46 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-02-23 10:37:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
ca.crt (1.04 KB, text/x-vhdl) 2016-02-22 19:03 UTC, Aleksandar Kostadinov	no flags	Details
server.crt (2.55 KB, text/x-vhdl) 2016-02-22 19:03 UTC, Aleksandar Kostadinov	no flags	Details
server.key (1.64 KB, text/x-vhdl) 2016-02-22 19:04 UTC, Aleksandar Kostadinov	no flags	Details
View All

Description Aleksandar Kostadinov 2016-02-22 19:03:14 UTC

Created attachment 1129465 [details]
ca.crt

Description of problem:
The automatically generated certificate from openshift-ansibe playbook when installing on GCE is wrong. Firefox 44 and Chrome refuse to connect. Will attach the certificate files.

I suspect it is related to GCE using domain names containing only numbers, e.g. 245.36.148.146.bc.googleusercontent.com

I wonder if it's worth filing a firefox issue or if there's any place to report that to google.

I'm also wondering how to workaround for testing purposes. I may try using plain IP although that's ugly and SSH configuration not that nice.

Version-Release number of selected component (if applicable):
current latest

How reproducible:
always

error from browser:
245.36.148.146.bc.googleusercontent.com:8443 uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. (Error code: sec_error_unknown_issuer)

Comment 1 Aleksandar Kostadinov 2016-02-22 19:03:52 UTC

Created attachment 1129466 [details]
server.crt

Comment 2 Aleksandar Kostadinov 2016-02-22 19:04:17 UTC

Created attachment 1129467 [details]
server.key

Comment 3 Aleksandar Kostadinov 2016-02-22 20:04:51 UTC

One detail, in inventory I used:

> 245.36.148.146.bc.googleusercontent.com openshift_public_hostname=245.36.148.146.bc.googleusercontent.com

That means specifying `openshift_public_hostname`.

Comment 4 Aleksandar Kostadinov 2016-02-22 21:08:23 UTC

is there any option to disable invalid certificates so that the IPs and bad hostnames are not included in certificate?

Comment 5 Aleksandar Kostadinov 2016-02-23 05:15:07 UTC

To clarify I don't see a way to create an accessible web console when there is no good DNS name for the environment console endpoint.

Comment 6 Aleksandar Kostadinov 2016-02-23 10:37:34 UTC

Very strange, I cannot reproduce today. I only know that yesterday I used a hardcoded version while today I'm using "latest" but I can't tell what version was in use yesterday. Will reopen if I manage to reproduce with any relevant version.

Note You need to log in before you can comment on or make changes to this bug.