Bug 1810192 - "Application is not available" intermittently when using a valid SSL certificate
Summary: "Application is not available" intermittently when using a valid SSL certificate
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.4
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.5.0
Assignee: bpeterse
QA Contact: Yadan Pei
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-04 16:56 UTC by Oren Cohen
Modified: 2020-04-27 11:04 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-27 11:04:38 UTC
Target Upstream Version:


Attachments (Terms of Use)
screenshot (41.92 KB, image/png)
2020-03-04 16:56 UTC, Oren Cohen
no flags Details
console-operator-pod-log (159.13 KB, text/plain)
2020-03-10 11:52 UTC, Oren Cohen
no flags Details
console-operator-pod-status (5.62 KB, text/plain)
2020-03-10 11:53 UTC, Oren Cohen
no flags Details
console-pod-1 log (98.19 KB, text/plain)
2020-03-10 11:54 UTC, Oren Cohen
no flags Details
console pod 1 status (4.83 KB, text/plain)
2020-03-10 11:54 UTC, Oren Cohen
no flags Details
console pod 2 log (93.58 KB, text/plain)
2020-03-10 11:55 UTC, Oren Cohen
no flags Details
console pod 2 status (4.83 KB, text/plain)
2020-03-10 11:56 UTC, Oren Cohen
no flags Details

Description Oren Cohen 2020-03-04 16:56:32 UTC
Created attachment 1667552 [details]
screenshot

Description of problem:

When installing a signed, valid SSL server certificate for ingress controller, and a custom CA for proxy/cluster, the Openshift web console appears to accept the new valid certificate, but when I navigate to "Copy Login Command" or "Log Out" I'm getting a page of _Application is not available_ from _oauth-openshift_.
Refreshing the page does not change the outcome, however if I refresh the page with cache override (Ctrl+F5 on most browser), I do get the desired page.

This is a live cluster in Red Hat internal network:
https://console-openshift-console.apps.cnv.engineering.redhat.com/

Version-Release number of selected component (if applicable):
4.4.0-0.nightly-2020-02-28-200834


How reproducible:
100%


Steps to Reproduce:
1. Browse to: https://console-openshift-console.apps.cnv.engineering.redhat.com
2. Get "Application is not available page"
3. Ctrl+F5 and oath page loads.

Actual results:
Getting "Application is not available" page for oauth-openshift

Expected results:
Getting the actual OAuth page

Additional info:
* the valid certificate was issued at:
https://ca02.pki.prod.int.phx2.redhat.com:8443/ca/ee/ca/displayBySerial?serialNumber=268374330
* the certificate has been installed on the cluster by following these steps:
https://docs.openshift.com/container-platform/4.3/authentication/certificates/replacing-default-ingress-certificate.html

Comment 1 Oren Cohen 2020-03-04 17:00:53 UTC
Note: This issue does not happen when using the default self-signed SSL certificate.

Comment 2 Standa Laznicka 2020-03-05 08:10:44 UTC
So what does the authentication operator report in its status and what are its logs?

Comment 3 Oren Cohen 2020-03-05 11:01:23 UTC
authentication-operator pod logs:
http://pastebin.test.redhat.com/842185

authentication-operator pod status:
http://pastebin.test.redhat.com/842187

Comment 4 Standa Laznicka 2020-03-05 13:35:03 UTC
Interesting, it seems that the oauth-server is there and available. I am going to move this back to the console, I do not know how the connections from console to the oauth-server are handled, or what JavaScript does under the hood.

I guess some logs from the browser might be in order?

Comment 5 bpeterse 2020-03-05 13:46:29 UTC
Can I request also the console-operator logs & status, as well as the console pod logs?

Comment 6 bpeterse 2020-03-05 14:12:52 UTC
Is it worth asking if you have any unique caching situation?

Comment 7 Standa Laznicka 2020-03-05 14:19:51 UTC
Note that the oauth-server typically requires no caching in its HTTP responses (response header taken from hitting the /oauth/token/display endpoint):

```
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Type: text/html; charset=UTF-8
Expires: 0
Pragma: no-cache
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Dns-Prefetch-Control: off
X-Frame-Options: DENY
X-Xss-Protection: 1; mode=block
Date: Thu, 05 Mar 2020 14:16:43 GMT
Content-Length: 1175
```

Comment 8 Oren Cohen 2020-03-05 14:22:04 UTC
This issue is happening to anyone, not just me.
It happens on firefox browser since it recognizes the CA Cert as valid, unlike chrome which brings up a warning message (and there the described issue in this BZ does not happen).
Ben, I made you a cluster-admin for this cluster so you can see all by yourself.
Use "google" authentication.

Comment 9 Oren Cohen 2020-03-05 14:23:21 UTC
cluster-reader*, not admin.

Comment 10 Oren Cohen 2020-03-10 11:30:04 UTC
Ben, did you get the required information from the cluster for your diagnosis?

Comment 11 Oren Cohen 2020-03-10 11:52:36 UTC
Created attachment 1668939 [details]
console-operator-pod-log

Comment 12 Oren Cohen 2020-03-10 11:53:21 UTC
Created attachment 1668940 [details]
console-operator-pod-status

Comment 13 Oren Cohen 2020-03-10 11:54:07 UTC
Created attachment 1668941 [details]
console-pod-1 log

Comment 14 Oren Cohen 2020-03-10 11:54:41 UTC
Created attachment 1668943 [details]
console pod 1 status

Comment 15 Oren Cohen 2020-03-10 11:55:18 UTC
Created attachment 1668945 [details]
console pod 2 log

Comment 16 Oren Cohen 2020-03-10 11:56:03 UTC
Created attachment 1668947 [details]
console pod 2 status

Comment 17 Oren Cohen 2020-03-10 11:57:43 UTC
(In reply to bpeterse from comment #5)
> Can I request also the console-operator logs & status, as well as the
> console pod logs?

Please see attachments. Thanks.

Comment 19 Oren Cohen 2020-04-27 11:04:38 UTC
After upgrading the cluster to 4.4.0-rc.8, the reported issue is not reproducing.
Therefore, closing this bug.


Note You need to log in before you can comment on or make changes to this bug.