Description of problem: External Logging SSO is failing the certificate verification. Version-Release number of selected component (if applicable): manageiq @b28dea8 manageiq-providers-kubernetes @4ea2250 How reproducible: 100% Steps to Reproduce: 1. Add an OpenShift provider (with logging-ops support) with SSL-verification and custom CA 2. Click on Monitoring => External Logging Actual results: You are not redirected to Kibana with SSO and you get the message: Cannot validate certificate to 'kibana-ops.10.35.48.50.nip.io. Make sure that you use a certificate signed by the root Openshift Cert.error message: SSL_connect returned=1 errno=0 state=error: certificate verify failed Expected results: You should be redirected to Kibana with SSO and SSL-verified connection. Additional info: Not sure if there are implications in other components as openshift-ansible for the logging deployment.
I have installed openshift-enterprise with the same ansible version (openshift-ansible-3.5.72-1) but couldn't reproduce this. I am begin logged in and getting the "no permissions ..." error message from https://bugzilla.redhat.com/show_bug.cgi?id=1454867
It seems that this fixed it: openshift_hosted_router_create_certificate=true Is that documented anywhere? How come we didn't remember that it's critical for this feature? It's even off by default.
Yes, I am sorry for not identifying this sooner. It was introduced in https://github.com/openshift/openshift-ansible/pull/3821 which helps us because ManageIQ needs to identify the router's certificate first. Where should this be documented?
(In reply to Erez Freiberger from comment #4) > Where should this be documented? Let's try to get it enabled by default first (and fallback to documentation if that can't be done).
I opened a PR for that: https://github.com/openshift/openshift-ansible/pull/4693
Created attachment 1362707 [details] adding the provider with ssl validation
I added an OCP 3.6 with SSL validation (see the attachment) and I tried to navigate to external logging but I got an error message I also verified that logging is up and running (as you can see below) and verified that logging works without validation [root@snaim-ocp-3-6-master ~]# oc get pods --all-namespaces NAMESPACE NAME READY STATUS RESTARTS AGE default docker-registry-1-n2hr7 1/1 Running 0 5d default registry-console-1-6tlwz 1/1 Running 0 5d default router-1-ctrnt 1/1 Running 0 5d logging logging-curator-1-qxhck 1/1 Running 0 5d logging logging-curator-ops-1-06s1b 1/1 Running 0 18s logging logging-es-data-master-1zlpxbqs-1-d4wpf 1/1 Running 0 5d logging logging-es-ops-data-master-2yp9mp9e-1-deploy 0/1 Error 0 5d logging logging-fluentd-65vhh 1/1 Running 0 5d logging logging-fluentd-j7z3s 1/1 Running 0 5d logging logging-fluentd-q8g7b 1/1 Running 0 5d logging logging-kibana-1-zl1fk 2/2 Running 0 5d logging logging-kibana-ops-1-sshs3 2/2 Running 0 5d openshift-infra hawkular-cassandra-1-j8lsm 1/1 Running 0 5d openshift-infra hawkular-metrics-188rp 1/1 Running 0 5d openshift-infra heapster-l4xxc 1/1 Running 0 5d
This seems like an installation problem, the certificate for the route is not signing it correctly (subject=/CN=router.default.svc) We should take a look at the ansible as this should have been fixed in the 3.6 version of the installer with this backport https://github.com/openshift/openshift-ansible/pull/5042
After debugging my OCP system we found that wrong parameter set in the installation inventory. After reinstalling the system, the issue was verified successfully.