Created attachment 1667552 [details]
Description of problem:
When installing a signed, valid SSL server certificate for ingress controller, and a custom CA for proxy/cluster, the Openshift web console appears to accept the new valid certificate, but when I navigate to "Copy Login Command" or "Log Out" I'm getting a page of _Application is not available_ from _oauth-openshift_.
Refreshing the page does not change the outcome, however if I refresh the page with cache override (Ctrl+F5 on most browser), I do get the desired page.
This is a live cluster in Red Hat internal network:
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Browse to: https://console-openshift-console.apps.cnv.engineering.redhat.com
2. Get "Application is not available page"
3. Ctrl+F5 and oath page loads.
Getting "Application is not available" page for oauth-openshift
Getting the actual OAuth page
* the valid certificate was issued at:
* the certificate has been installed on the cluster by following these steps:
Note: This issue does not happen when using the default self-signed SSL certificate.
So what does the authentication operator report in its status and what are its logs?
authentication-operator pod logs:
authentication-operator pod status:
I guess some logs from the browser might be in order?
Can I request also the console-operator logs & status, as well as the console pod logs?
Is it worth asking if you have any unique caching situation?
Note that the oauth-server typically requires no caching in its HTTP responses (response header taken from hitting the /oauth/token/display endpoint):
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: text/html; charset=UTF-8
X-Xss-Protection: 1; mode=block
Date: Thu, 05 Mar 2020 14:16:43 GMT
This issue is happening to anyone, not just me.
It happens on firefox browser since it recognizes the CA Cert as valid, unlike chrome which brings up a warning message (and there the described issue in this BZ does not happen).
Ben, I made you a cluster-admin for this cluster so you can see all by yourself.
Use "google" authentication.
cluster-reader*, not admin.
Ben, did you get the required information from the cluster for your diagnosis?
Created attachment 1668939 [details]
Created attachment 1668940 [details]
Created attachment 1668941 [details]
Created attachment 1668943 [details]
console pod 1 status
Created attachment 1668945 [details]
console pod 2 log
Created attachment 1668947 [details]
console pod 2 status
(In reply to bpeterse from comment #5)
> Can I request also the console-operator logs & status, as well as the
> console pod logs?
Please see attachments. Thanks.
After upgrading the cluster to 4.4.0-rc.8, the reported issue is not reproducing.
Therefore, closing this bug.