Bug 1670282
| Summary: | Redux: The ca.crt created in pod by installer couldn't pass the SSL certificate verification | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Rich Megginson <rmeggins> |
| Component: | apiserver-auth | Assignee: | Erica von Buelow <evb> |
| Status: | CLOSED DUPLICATE | QA Contact: | Chuan Yu <chuyu> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 4.1.0 | CC: | aos-bugs, eparis, jialiu, jokerman, mmccomas, rmeggins, slaznick, xtian |
| Target Milestone: | --- | ||
| Target Release: | 4.1.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1654558 | Environment: | |
| Last Closed: | 2019-03-12 17:11:14 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1654558 | ||
| Bug Blocks: | 1669368 | ||
Like #1654558, this doesn't seem like an installer issue. Whoever is creating that secret needs to include the root CA. I'm assigning this to the Logging component to dig in further. (In reply to Alex Crawford from comment #2) > Like #1654558, this doesn't seem like an installer issue. Whoever is > creating that secret needs to include the root CA. I'm assigning this to the > Logging component to dig in further. Logging doesn't create the secret either - let's try the Security team. I'm reassigning this to the Auth team, but I don't really know which is the team that generates and distributes certs for the cluster, and should be aware of the openssl issue Looks like a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1668534, reopen if it's still an issue, but I doubt that. *** This bug has been marked as a duplicate of bug 1668534 *** |
The latest installer has regressed to the previous behavior: oc extract -n openshift-logging secret/kibana-token-vllhs --to=. openssl x509 -in ca.crt -text|more Certificate: Data: Version: 3 (0x2) Serial Number: 2227887177059511823 (0x1eeb0b956c47ae0f) Signature Algorithm: sha256WithRSAEncryption Issuer: OU = openshift, CN = root-ca Validity Not Before: Jan 28 10:17:01 2019 GMT Not After : Jan 25 10:17:02 2029 GMT Subject: OU = bootkube, CN = kube-ca The ca.crt contains only the intermediate cert and not the root CA.