1670282 – Redux: The ca.crt created in pod by installer couldn't pass the SSL certificate verification

Bug 1670282 - Redux: The ca.crt created in pod by installer couldn't pass the SSL certificate verification

Summary: Redux: The ca.crt created in pod by installer couldn't pass the SSL certifica...

Keywords:
Status:	CLOSED DUPLICATE of bug 1668534
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	apiserver-auth
Sub Component:
Version:	4.1.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.1.0
Assignee:	Erica von Buelow
QA Contact:	Chuan Yu
Docs Contact:
URL:
Whiteboard:
Depends On:	1654558
Blocks:	1669368
TreeView+	depends on / blocked

Reported:	2019-01-29 07:17 UTC by Rich Megginson
Modified:	2019-03-12 17:11 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1654558
Environment:
Last Closed:	2019-03-12 17:11:14 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Comment 1 Rich Megginson 2019-01-29 07:20:02 UTC

    The latest installer has regressed to the previous behavior:

    oc extract -n openshift-logging secret/kibana-token-vllhs --to=.

    openssl x509 -in ca.crt -text|more

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 2227887177059511823 (0x1eeb0b956c47ae0f)
        Signature Algorithm: sha256WithRSAEncryption
            Issuer: OU = openshift, CN = root-ca
            Validity
                Not Before: Jan 28 10:17:01 2019 GMT
                Not After : Jan 25 10:17:02 2029 GMT
            Subject: OU = bootkube, CN = kube-ca

    The ca.crt contains only the intermediate cert and not the root CA.

Comment 2 Alex Crawford 2019-01-29 20:29:16 UTC

Like #1654558, this doesn't seem like an installer issue. Whoever is creating that secret needs to include the root CA. I'm assigning this to the Logging component to dig in further.

Comment 3 Rich Megginson 2019-01-29 21:05:52 UTC

(In reply to Alex Crawford from comment #2)
> Like #1654558, this doesn't seem like an installer issue. Whoever is
> creating that secret needs to include the root CA. I'm assigning this to the
> Logging component to dig in further.

Logging doesn't create the secret either - let's try the Security team.

Comment 5 Rich Megginson 2019-03-12 17:00:57 UTC

I'm reassigning this to the Auth team, but I don't really know which is the team that generates and distributes certs for the cluster, and should be aware of the openssl issue

Comment 6 Standa Laznicka 2019-03-12 17:11:14 UTC

Looks like a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1668534, reopen if it's still an issue, but I doubt that.

*** This bug has been marked as a duplicate of bug 1668534 ***

Note You need to log in before you can comment on or make changes to this bug.