Bug 1651392 - OCP cluster with custom certificates prevents standard fuse plugin from working [NEEDINFO]
Summary: OCP cluster with custom certificates prevents standard fuse plugin from working
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Fuse
Version: 3.6.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.6.z
Assignee: Kurt T Stam
QA Contact: Wenjing Zheng
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-19 22:07 UTC by Eric Jones
Modified: 2019-11-20 19:00 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
hgomes: needinfo? (kurt.stam)
erjones: needinfo? (kurt.stam)
kurt.stam: needinfo? (erjones)


Attachments (Terms of Use)

Description Eric Jones 2018-11-19 22:07:30 UTC
Description of problem:
Customer has an OCP 3.10 cluster with custom certs, following [0]the customer sees the (attaching full log shortly) error message [1].

Customer worked around the issue in some instance due to the ability to "add the cert from our master to cacerts file in my jre/lib/security directory on my Mac using keytool" but could not perform the same action using a windows machine.

[0] https://access.redhat.com/documentation/en-us/red_hat_fuse/7.1/html-single/fuse_on_openshift_guide/#get-started-s2i-binary

[1] 
[WARNING] F8: Cannot access cluster for detecting mode: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 19.883 s
[INFO] Finished at: 2018-10-15T16:44:39-05:00
[INFO] Final Memory: 43M/673M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal io.fabric8:fabric8-maven-plugin:3.5.40:deploy (default-cli) on project booster: An error has occurred. sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

Version-Release number of selected component (if applicable):
OCP 3.9 
7.1.0.fuse-710019-redhat-00002

Comment 2 Kurt Stam 2018-11-20 11:02:24 UTC
Eric Jones, Is the customer certificate a self signed certificate? If it is what is the users expectation? IMO he should - like they did - add the cert to the JRE, so why would this be a workaround. Is the bug that the doesn't work on windows?

Comment 3 Kurt Stam 2018-11-20 11:10:55 UTC
Or is that the user wants to trust the cert no matter with using something like a system param of KUBERNETES_TRUST_CERT=true

Comment 4 Eric Jones 2018-11-20 22:08:46 UTC
Hi Kurt,

I am fairly sure that it is not a Self-Signed cert, just a cert provided by the customer, not the default cert generated by the installation of OpenShift.

The reason I logged the bug because the install should have the ability to trust the cluster's certificates (like a system/cluster parameter similar to KUBERNETES_TRUST_CERT=true).

Is that possible at this time and the customer and I simply missed a setting?

Comment 5 hgomes 2018-12-23 20:02:38 UTC
Any updates?

Comment 7 Kurt Stam 2019-01-14 20:59:36 UTC
Hi Eric,

Sorry I guess I was hoping we'd get some feedback from the customer on if setting KUBERNETES_TRUST_CERT=true does the trick. It'd be better to explicitly trust the server certificate on the client side as the customer did on his Mac. So is the real answer here to figure out why this doesn't work on windows?

--Kurt

Comment 8 Stephen Cuppett 2019-11-20 18:57:58 UTC
OCP 3.6-3.10 is no longer on full support [1]. Marking CLOSED DEFERRED. If you have a customer case with a support exception or have reproduced on 3.11+, please reopen and include those details. When reopening, please set the Target Release to the appropriate version where needed.

[1]: https://access.redhat.com/support/policy/updates/openshift

Comment 9 Stephen Cuppett 2019-11-20 19:00:12 UTC
OCP 3.6-3.10 is no longer on full support [1]. Marking CLOSED DEFERRED. If you have a customer case with a support exception or have reproduced on 3.11+, please reopen and include those details. When reopening, please set the Target Release to the appropriate version where needed.

[1]: https://access.redhat.com/support/policy/updates/openshift


Note You need to log in before you can comment on or make changes to this bug.