Description of problem: If a Company CA is added to namedcertificates, the CA is added to ca-bundle.crt as well. This can cause client cert popups when using IE,Safari or Chrome if the user has client certs configured via the browser. OpenShift is making a request for client certificates but will ignore if there is none are presented. 3.4-5 https://github.com/kubernetes/kubernetes/blob/release-1.5/pkg/genericapiserver/serve.go#L80 3.6 https://github.com/kubernetes/apiserver/blob/release-1.6/pkg/server/serve.go#L71-L77 We only need the clientCA to be set to the Internal OpenShift CA used "ca.crt" not the bundle. https://github.com/openshift/openshift-ansible/blob/master/roles/openshift_master/templates/master.yaml.v1.j2#L106 Version-Release number of the following components: Latest How reproducible: 100% Steps to reproduce: Add client certs that are signed by a ca referenced in the ca-bundle.crt to chrome. Then access OpenShift console.
*** Bug 1259029 has been marked as a duplicate of this bug. ***
Jordan can you validate that not using the ca-bundle.crt which includes the nameCertificates CA is the correct thing to do here?
Yes, just the internal CA should be set for client cert CA, not the full bundle populated for named certificates
Commit pushed to master at https://github.com/openshift/openshift-ansible https://github.com/openshift/openshift-ansible/commit/60c770af09aaf5572b61d6d71ddda88db2dd7de2 Merge pull request #5698 from abutcher/servinginfo-client-ca Automatic merge from submit-queue. Bug 1493276: Setting servingInfo.clientCA to ca-bundle.crt can cause unwanted client cert popups in browser when hitting console https://bugzilla.redhat.com/show_bug.cgi?id=1493276
Verify this bug with openshift-ansible-3.7.0-0.148.0.git.0.b35eb14.el7.noarch For fresh install ocp-3.7 cluster, servingInfo.clientCA was set to ca.crt by default now. For old env which was using ca-bundle.crt as servingInfo.clientCA, after running /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/redeploy-openshift-ca.yml playbook, it could be changed to ca.crt.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2017:3188