Created attachment 1667552 [details] screenshot Description of problem: When installing a signed, valid SSL server certificate for ingress controller, and a custom CA for proxy/cluster, the Openshift web console appears to accept the new valid certificate, but when I navigate to "Copy Login Command" or "Log Out" I'm getting a page of _Application is not available_ from _oauth-openshift_. Refreshing the page does not change the outcome, however if I refresh the page with cache override (Ctrl+F5 on most browser), I do get the desired page. This is a live cluster in Red Hat internal network: https://console-openshift-console.apps.cnv.engineering.redhat.com/ Version-Release number of selected component (if applicable): 4.4.0-0.nightly-2020-02-28-200834 How reproducible: 100% Steps to Reproduce: 1. Browse to: https://console-openshift-console.apps.cnv.engineering.redhat.com 2. Get "Application is not available page" 3. Ctrl+F5 and oath page loads. Actual results: Getting "Application is not available" page for oauth-openshift Expected results: Getting the actual OAuth page Additional info: * the valid certificate was issued at: https://ca02.pki.prod.int.phx2.redhat.com:8443/ca/ee/ca/displayBySerial?serialNumber=268374330 * the certificate has been installed on the cluster by following these steps: https://docs.openshift.com/container-platform/4.3/authentication/certificates/replacing-default-ingress-certificate.html
Note: This issue does not happen when using the default self-signed SSL certificate.
So what does the authentication operator report in its status and what are its logs?
authentication-operator pod logs: http://pastebin.test.redhat.com/842185 authentication-operator pod status: http://pastebin.test.redhat.com/842187
Interesting, it seems that the oauth-server is there and available. I am going to move this back to the console, I do not know how the connections from console to the oauth-server are handled, or what JavaScript does under the hood. I guess some logs from the browser might be in order?
Can I request also the console-operator logs & status, as well as the console pod logs?
Is it worth asking if you have any unique caching situation?
Note that the oauth-server typically requires no caching in its HTTP responses (response header taken from hitting the /oauth/token/display endpoint): ``` HTTP/1.1 200 OK Cache-Control: no-cache, no-store, max-age=0, must-revalidate Content-Type: text/html; charset=UTF-8 Expires: 0 Pragma: no-cache Referrer-Policy: strict-origin-when-cross-origin X-Content-Type-Options: nosniff X-Dns-Prefetch-Control: off X-Frame-Options: DENY X-Xss-Protection: 1; mode=block Date: Thu, 05 Mar 2020 14:16:43 GMT Content-Length: 1175 ```
This issue is happening to anyone, not just me. It happens on firefox browser since it recognizes the CA Cert as valid, unlike chrome which brings up a warning message (and there the described issue in this BZ does not happen). Ben, I made you a cluster-admin for this cluster so you can see all by yourself. Use "google" authentication.
cluster-reader*, not admin.
Ben, did you get the required information from the cluster for your diagnosis?
Created attachment 1668939 [details] console-operator-pod-log
Created attachment 1668940 [details] console-operator-pod-status
Created attachment 1668941 [details] console-pod-1 log
Created attachment 1668943 [details] console pod 1 status
Created attachment 1668945 [details] console pod 2 log
Created attachment 1668947 [details] console pod 2 status
(In reply to bpeterse from comment #5) > Can I request also the console-operator logs & status, as well as the > console pod logs? Please see attachments. Thanks.
After upgrading the cluster to 4.4.0-rc.8, the reported issue is not reproducing. Therefore, closing this bug.