When using Google's jib maven plugin to build and push images Online registry, the plugin complains about mismatching certificates: hostname in certificate didn't match: <registry.pro-us-east-1.openshift.com> != <*.b9ad.pro-us-east-1.openshiftapps.com> OR <*.b9ad.pro-us-east-1.openshiftapps.com> OR <b9ad.pro-us-east-1.openshiftapps.com> Steps to Reproduce: $ wget https://github.com/spring-projects/spring-petclinic/archive/master.zip $ unzip master $ cd spring-petclinic-master $ export PRJ_NAME=testprj $ oc login ONLINE $ oc new-project $PRJ_NAME $ mvn compile com.google.cloud.tools:jib-maven-plugin:0.9.6:build -Dimage=registry.pro-us-east-1.openshift.com/$PRJ_NAME/spring-petclinic
not sure who's responsible for setting up the registry cert in pro, but let's start w/ Stefanie.
The registry cert itself seems fine. It matches the hostname registry.pro-us-east-1.openshift.com: [dakini@localhost ~]$ curl -v --head https://registry.pro-us-east-1.openshift.com * Server certificate: * subject: C=US; ST=North Carolina; L=Raleigh; O=Red Hat Inc.; OU=RHC Cloud Operations; CN=*.pro-us-east-1.openshift.com * start date: May 19 00:00:00 2018 GMT * expire date: May 23 12:00:00 2019 GMT * subjectAltName: host "registry.pro-us-east-1.openshift.com" matched cert's "*.pro-us-east-1.openshift.com" * issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 High Assurance Server CA
any idea where b9ad.pro-us-east-1.openshiftapps.com would be coming from?
(In reply to Ben Parees from comment #3) > any idea where b9ad.pro-us-east-1.openshiftapps.com would be coming from? The subdomain b9ad.pro-us-east-1.openshiftapps.com is what I see assigned to me on Online. All apps I create are under that domain but not sure how the registry is getting mixed up with that.
Seems like a jib issue to me. Can you get some verbose output from maven so maybe we can see what it actually thinks it is doing?
Created attachment 1459734 [details] maven logs
I get a completely different error: [ERROR] Failed to execute goal com.google.cloud.tools:jib-maven-plugin:0.9.6:build (default-cli) on project spring-petclinic: Build image failed: Tried to retrieve authentication method for registry.pro-us-east-1.openshift.com but failed because: Failed get authentication method from 'WWW-Authenticate' header | If this is a bug, please file an issue at https://github.com/GoogleContainerTools/jib/issues/new: Failed to authenticate with the registry because: 'service' was not found in the 'WWW-Authenticate' header, tried to parse: Bearer realm="https://registry.pro-us-east-1.openshift.com/openshift/token" -> [Help 1] but fundamentally i think you're more likely to get resolution to this by opening a Jib issue, it doesn't seem like our registry is configured incorrectly, so it may have something to do with how they are connecting to it/authenticating to it. (I performed a local docker login to the registry, so my docker config.json should have proper credentials, which Jib doc indicates it will use by default). I also can't get it to push to docker.io, with a different resulting error, i'm curious if you managed to get that working as a starting point?
Created a jib issue: https://github.com/GoogleContainerTools/jib/issues/659
Based on the latest comments on the issue it sounds like this is resolved. https://github.com/GoogleContainerTools/jib/issues/659#issuecomment-406369597