Bug 1815209 - OCP4.3 - TLS handshake error from <ip>:<port>: remote error: tls: bad certificate
Summary: OCP4.3 - TLS handshake error from <ip>:<port>: remote error: tls: bad certifi...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.3.z
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Standa Laznicka
QA Contact: scheng
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-19 19:03 UTC by clement.bisso
Modified: 2020-03-24 08:29 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-03-24 08:29:33 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
oc_login_logs_commands (16.57 KB, text/plain)
2020-03-23 09:31 UTC, clement.bisso
no flags Details

Description clement.bisso 2020-03-19 19:03:18 UTC
Description of problem:

Could not authenticate to my ActiveDirectory.


Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:
1. Deploy fresh 4.3 cluster
2. Follow documentation to bind authentication to Ldap https://docs.openshift.com/container-platform/4.3/authentication/identity_providers/configuring-ldap-identity-provider.html
3. Try to log in

Actual results:

Client side :
$ oc login -u test
error: x509: certificate signed by unknown authority

Server side :
oc logs -f oauth-openshift-xxxxxxxxxxxxx -n openshift-authentication
http: TLS handshake error from <ip>:<port>: remote error: tls: bad certificate

Expected results:

Authentication succeeded


Here is my configuration :

apiVersion: config.openshift.io/v1
kind: OAuth
metadata:
  name: cluster
spec:
  identityProviders:
  - name: ldapidp
    login: true
    mappingMethod: claim
    type: LDAP
    ldap:
      attributes:
        id:
        - cn
        name:
        - cn
      bindDN: "mybinddn"
      bindPassword:
        name: ldap-secret
      insecure: true
      url: "ldap://<active_directory>/dc=test,dc=testroot?uid"

Comment 1 clement.bisso 2020-03-20 11:19:46 UTC
I redeployed an ldap configuration and I have this issue only from my CLI client.

When I try it from webconsole, that is working.

But when I set the "--insecure-skip-tls-verify=true" I have the certificate error from CLI.

oc login --insecure-skip-tls-verify=true

When I use the --certificate-authority='' with custom ca, the authentication succeed.

Could you help me with what I must be missing with the insecure option?

Regards,
Clement.

Comment 2 Standa Laznicka 2020-03-23 09:18:58 UTC
Moving to correct component, no oauth-apiserver existed in 4.3 (just the oauth-server).

The most likely cause would be that your system does not trust the cluster router certificate and you have configured an exception in your browser.

Can you share the full logs of `oc login --loglevel 10`?

Comment 3 clement.bisso 2020-03-23 09:30:22 UTC
Hello,

Thank you for your help and your time.

Here is the full logs of the requested command, I also attach more command in case you need it.

I didn't specified but run those command on a RedHat Entreprise Linux COreOS release 4.3 (from the bootstrap instance in an Openstack)

[core@rhoc-4-3-rlf2c-bootstrap ~]$ oc login --loglevel 10
I0323 09:26:07.403542   26556 loader.go:375] Config loaded from file:  kubeconfig
I0323 09:26:07.403886   26556 round_trippers.go:423] curl -k -v -XHEAD  'https://api.XXXXXXXXXXXXXXXXXX:6443/'
I0323 09:26:07.410282   26556 round_trippers.go:443] HEAD https://api.XXXXXXXXXXXXXXXXXX:6443/ 403 Forbidden in 6 milliseconds
I0323 09:26:07.410292   26556 round_trippers.go:449] Response Headers:
I0323 09:26:07.410299   26556 round_trippers.go:452]     X-Content-Type-Options: nosniff
I0323 09:26:07.410303   26556 round_trippers.go:452]     Content-Length: 186
I0323 09:26:07.410306   26556 round_trippers.go:452]     Date: Mon, 23 Mar 2020 09:26:15 GMT
I0323 09:26:07.410309   26556 round_trippers.go:452]     Audit-Id: f051d7f3-61d5-4b5f-8b96-ee136a512653
I0323 09:26:07.410313   26556 round_trippers.go:452]     Cache-Control: no-cache, private
I0323 09:26:07.410316   26556 round_trippers.go:452]     Content-Type: application/json
I0323 09:26:07.410323   26556 request_token.go:86] GSSAPI Enabled
I0323 09:26:07.410344   26556 round_trippers.go:423] curl -k -v -XGET  -H "X-Csrf-Token: 1" 'https://api.XXXXXXXXXXXXXXXXXX:6443/.well-known/oauth-authorization-server'
I0323 09:26:07.411129   26556 round_trippers.go:443] GET https://api.XXXXXXXXXXXXXXXXXX:6443/.well-known/oauth-authorization-server 200 OK in 0 milliseconds
I0323 09:26:07.411140   26556 round_trippers.go:449] Response Headers:
I0323 09:26:07.411143   26556 round_trippers.go:452]     Audit-Id: d6f0ee3d-46b5-44b4-91ca-96df42acbd27
I0323 09:26:07.411149   26556 round_trippers.go:452]     Cache-Control: no-cache, private
I0323 09:26:07.411154   26556 round_trippers.go:452]     Content-Type: application/json
I0323 09:26:07.411158   26556 round_trippers.go:452]     Content-Length: 603
I0323 09:26:07.411163   26556 round_trippers.go:452]     Date: Mon, 23 Mar 2020 09:26:15 GMT
I0323 09:26:07.411222   26556 round_trippers.go:423] curl -k -v -XHEAD  'https://oauth-openshift.apps.XXXXXXXXXXXXXXXXXX'
I0323 09:26:07.437370   26556 round_trippers.go:443] HEAD https://oauth-openshift.apps.XXXXXXXXXXXXXXXXXX  in 26 milliseconds
I0323 09:26:07.437391   26556 round_trippers.go:449] Response Headers:
I0323 09:26:07.437396   26556 request_token.go:438] falling back to kubeconfig CA due to possible x509 error: x509: certificate signed by unknown authority
I0323 09:26:07.437432   26556 round_trippers.go:423] curl -k -v -XGET  -H "X-Csrf-Token: 1" 'https://oauth-openshift.apps.XXXXXXXXXXXXXXXXXX/oauth/authorize?client_id=openshift-challenging-client&code_challenge=5N97hQ3rV9M0r4OwuoN-1r4jTVT1BmWdwu4q5vmvZWE&code_challenge_method=S256&redirect_uri=https%3A%2F%2Foauth-openshift.apps.XXXXXXXXXXXXXXXXXX%2Foauth%2Ftoken%2Fimplicit&response_type=code'
I0323 09:26:07.442572   26556 round_trippers.go:443] GET https://oauth-openshift.apps.XXXXXXXXXXXXXXXXXX/oauth/authorize?client_id=openshift-challenging-client&code_challenge=5N97hQ3rV9M0r4OwuoN-1r4jTVT1BmWdwu4q5vmvZWE&code_challenge_method=S256&redirect_uri=https%3A%2F%2Foauth-openshift.apps.XXXXXXXXXXXXXXXXXX%2Foauth%2Ftoken%2Fimplicit&response_type=code  in 5 milliseconds
I0323 09:26:07.442587   26556 round_trippers.go:449] Response Headers:
I0323 09:26:07.442866   26556 round_trippers.go:423] curl -k -v -XGET  -H "Accept: application/json, */*" -H "User-Agent: oc/v0.0.0 (linux/amd64) kubernetes/$Format" 'https://api.XXXXXXXXXXXXXXXXXX:6443/api/v1/namespaces/openshift/configmaps/motd'
I0323 09:26:07.444246   26556 round_trippers.go:443] GET https://api.XXXXXXXXXXXXXXXXXX:6443/api/v1/namespaces/openshift/configmaps/motd 403 Forbidden in 1 milliseconds
I0323 09:26:07.444258   26556 round_trippers.go:449] Response Headers:
I0323 09:26:07.444266   26556 round_trippers.go:452]     Audit-Id: c618b654-309e-4dfb-add1-b7d4a579c5e1
I0323 09:26:07.444273   26556 round_trippers.go:452]     Cache-Control: no-cache, private
I0323 09:26:07.444278   26556 round_trippers.go:452]     Content-Type: application/json
I0323 09:26:07.444284   26556 round_trippers.go:452]     X-Content-Type-Options: nosniff
I0323 09:26:07.444289   26556 round_trippers.go:452]     Content-Length: 303
I0323 09:26:07.444292   26556 round_trippers.go:452]     Date: Mon, 23 Mar 2020 09:26:15 GMT
I0323 09:26:07.444309   26556 request.go:968] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"configmaps \"motd\" is forbidden: User \"system:anonymous\" cannot get resource \"configmaps\" in API group \"\" in the namespace \"openshift\"","reason":"Forbidden","details":{"name":"motd","kind":"configmaps"},"code":403}
F0323 09:26:07.444689   26556 helpers.go:114] error: x509: certificate signed by unknown authority

Comment 4 clement.bisso 2020-03-23 09:31:55 UTC
Created attachment 1672591 [details]
oc_login_logs_commands

More logs that might be needed

Comment 5 Standa Laznicka 2020-03-23 10:29:04 UTC
I don't think the bootstrap instance really trusts the routes.

Please, if you want to log in to your cluster as a user of the configured identity providers, do not do that from the nodes, but instead either use the kubeconfig provided by the installer, or log in from a system that is configured to trust the certificates issued by the cluster's router CA.

Comment 6 clement.bisso 2020-03-24 08:29:33 UTC
Ok thank you for your help, I will close this case.


Note You need to log in before you can comment on or make changes to this bug.