Red Hat Bugzilla – Bug 1459092
External Logging SSO failing SSL certificate verification
Last modified: 2018-04-09 04:45:59 EDT
Description of problem:
External Logging SSO is failing the certificate verification.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Add an OpenShift provider (with logging-ops support) with SSL-verification and custom CA
2. Click on Monitoring => External Logging
You are not redirected to Kibana with SSO and you get the message:
Cannot validate certificate to 'kibana-ops.10.35.48.50.nip.io. Make sure that you use a certificate signed by the root Openshift Cert.error message: SSL_connect returned=1 errno=0 state=error: certificate verify failed
You should be redirected to Kibana with SSO and SSL-verified connection.
Not sure if there are implications in other components as openshift-ansible for the logging deployment.
I have installed openshift-enterprise with the same ansible version (openshift-ansible-3.5.72-1) but couldn't reproduce this. I am begin logged in and getting the "no permissions ..." error message from https://bugzilla.redhat.com/show_bug.cgi?id=1454867
It seems that this fixed it:
Is that documented anywhere? How come we didn't remember that it's critical for this feature?
It's even off by default.
Yes, I am sorry for not identifying this sooner. It was introduced in https://github.com/openshift/openshift-ansible/pull/3821 which helps us because ManageIQ needs to identify the router's certificate first.
Where should this be documented?
(In reply to Erez Freiberger from comment #4)
> Where should this be documented?
Let's try to get it enabled by default first (and fallback to documentation if that can't be done).
I opened a PR for that: https://github.com/openshift/openshift-ansible/pull/4693
Created attachment 1362707 [details]
adding the provider with ssl validation
I added an OCP 3.6 with SSL validation (see the attachment) and I tried to navigate to external logging but I got an error message
I also verified that logging is up and running (as you can see below) and verified that logging works without validation
[root@snaim-ocp-3-6-master ~]# oc get pods --all-namespaces
NAMESPACE NAME READY STATUS RESTARTS AGE
default docker-registry-1-n2hr7 1/1 Running 0 5d
default registry-console-1-6tlwz 1/1 Running 0 5d
default router-1-ctrnt 1/1 Running 0 5d
logging logging-curator-1-qxhck 1/1 Running 0 5d
logging logging-curator-ops-1-06s1b 1/1 Running 0 18s
logging logging-es-data-master-1zlpxbqs-1-d4wpf 1/1 Running 0 5d
logging logging-es-ops-data-master-2yp9mp9e-1-deploy 0/1 Error 0 5d
logging logging-fluentd-65vhh 1/1 Running 0 5d
logging logging-fluentd-j7z3s 1/1 Running 0 5d
logging logging-fluentd-q8g7b 1/1 Running 0 5d
logging logging-kibana-1-zl1fk 2/2 Running 0 5d
logging logging-kibana-ops-1-sshs3 2/2 Running 0 5d
openshift-infra hawkular-cassandra-1-j8lsm 1/1 Running 0 5d
openshift-infra hawkular-metrics-188rp 1/1 Running 0 5d
openshift-infra heapster-l4xxc 1/1 Running 0 5d
This seems like an installation problem, the certificate for the route is not signing it correctly (subject=/CN=router.default.svc)
We should take a look at the ansible as this should have been fixed in the 3.6 version of the installer with this backport https://github.com/openshift/openshift-ansible/pull/5042
After debugging my OCP system we found that wrong parameter set in the installation inventory.
After reinstalling the system, the issue was verified successfully.