The latest installer has regressed to the previous behavior: oc extract -n openshift-logging secret/kibana-token-vllhs --to=. openssl x509 -in ca.crt -text|more Certificate: Data: Version: 3 (0x2) Serial Number: 2227887177059511823 (0x1eeb0b956c47ae0f) Signature Algorithm: sha256WithRSAEncryption Issuer: OU = openshift, CN = root-ca Validity Not Before: Jan 28 10:17:01 2019 GMT Not After : Jan 25 10:17:02 2029 GMT Subject: OU = bootkube, CN = kube-ca The ca.crt contains only the intermediate cert and not the root CA.
Like #1654558, this doesn't seem like an installer issue. Whoever is creating that secret needs to include the root CA. I'm assigning this to the Logging component to dig in further.
(In reply to Alex Crawford from comment #2) > Like #1654558, this doesn't seem like an installer issue. Whoever is > creating that secret needs to include the root CA. I'm assigning this to the > Logging component to dig in further. Logging doesn't create the secret either - let's try the Security team.
I'm reassigning this to the Auth team, but I don't really know which is the team that generates and distributes certs for the cluster, and should be aware of the openssl issue
Looks like a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1668534, reopen if it's still an issue, but I doubt that. *** This bug has been marked as a duplicate of bug 1668534 ***