Red Hat Bugzilla – Bug 1373788
When master port is 443, oc start build by webhook from webconsole lost url port and failed with unknown signed certification.
Last modified: 2017-03-08 13:43 EST
Description of problem: Start build by webhook url from console(no port for the webhookurl) failed with unknown signed certification. Version-Release number of selected component (if applicable): oc/openshift 3.3.0.30 How reproducible: Always Steps to Reproduce: 1. oc process -f https://raw.githubusercontent.com/openshift/origin/master/examples/sample-app/application-template-stibuild.json | oc create -f - 2. Go to web console, go to build config page, check "Configuration" and copy the link of "GitHub webhook URL" 3. oc start-build --from-webhook='https://xxx/oapi/v1/namespaces/xiaocwan-sti/buildconfigs/ruby-sample-build/webhooks/secret101/generic' --loglevel=8 Actual results: 2 "GitHub webhook URL" and "GitHub webhook URL" on web-console lost the port (:443) compared to `oc describe bc/<bc>` 3 Start build with webhook (without port) will lead the below error: Unable to connect to the server: x509: certificate signed by unknown authority I0907 10:28:35.308518 26281 startbuild.go:609] Triggering hook https://xxx/oapi/v1/namespaces/xiaocwan-p/buildconfigs/ruby-sample-build/webhooks/secret101/github I0907 10:28:36.168264 26281 helpers.go:199] Connection error: Post https://xxx/oapi/v1/namespaces/xiaocwan-p/buildconfigs/ruby-sample-build/webhooks/secret101/github: x509: certificate signed by unknown authority F0907 10:28:36.168322 26281 helpers.go:110] Unable to connect to the server: x509: certificate signed by unknown authority Expected results: 2. webhook url on web console should keep same with `oc describe bc` 3. New build start with "build "ruby-sample-build-2" started" Additional info: `oc describe bc/<bc>` has the port and it will not raise the error. Not reproduced on env:8443
443 is an optional port, it should not be required, it looks like there is a bug on oc start-build
sorry didn't realize Cesar had a pull open for this: https://github.com/openshift/origin/pull/10836
Reproduced by same steps as comment 0 on latest origin which port is 8443, ami: rhel7_5101 oc/openshift v1.4.0-alpha.0+75ee6c9 Please refer to attachment for the full log.
@XiaochuanWang I'm not sure that you reproduced the issue. If you logged in to the cluster and decided to skip certificate verification, then you will still get a certificate error when invoking start-build --from-webhook. However, if you are logged in with a valid certificate (oc login --certificate-authority=/path/to/ca.crt), then the webhook invocation should not complain about an invalid certificate. This part was working as long as the URL to the cluster had a port that was not 443. If the URL to the cluster had a 443 port, then you could reproduce this bug.
Not reproduced on OCP openshift 3.3.1.1 Steps: 1. oc new-app https://raw.githubusercontent.com/openshift/origin/master/examples/sample-app/application-template-stibuild.json 2. Go to web console, go to build config page, check "Configuration" and copy the link of "Generic webhook URL" 3. oc start-build --from-webhook='https://xxx:8443/oapi/v1/namespaces/xiaocwan-sti/buildconfigs/ruby-sample-build/webhooks/secret101/generic' New build started, URL from web console is same with `oc describe bc`. (To compare:) # oc start-build --from-webhook='https://xxx/oapi/v1/namespaces/xiaocwan-sti/buildconfigs/ruby-sample-build/webhooks/secret101/generic' The connection to the server xxx.xxx.xxx.com was refused - did you specify the right host or port?
Also not reproduced on OCP openshift/oc 3.3.1.1 with port 443 env, steps are same as Comment 6.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0066