Bug 1833288 - Kibana OAuth HTTP 500 error - x509: certificate signed by unknown authority
Summary: Kibana OAuth HTTP 500 error - x509: certificate signed by unknown authority
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Logging
Version: 4.4
Hardware: All
OS: All
Target Milestone: ---
: 4.4.z
Assignee: Periklis Tsirakidis
QA Contact: Anping Li
: 1838770 (view as bug list)
Depends On: 1834311
TreeView+ depends on / blocked
Reported: 2020-05-08 10:33 UTC by rdomnu
Modified: 2023-12-15 17:51 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Cluster-logging-operator did not reconcile the injected CA Bundle contents for fluentd. Same applies to elasticsearch-operator for kibana. Consequence: Fluentd and Kibana missing volume mounts to config maps with injected CA bundle Fix: Fetch anew the config map contents during reconciliation to ensure volume mounts. Result: Fluentd and Kibana mount the CA bundle config maps appropriately and certification works again
Clone Of:
Last Closed: 2020-07-07 10:05:59 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift cluster-logging-operator pull 524 0 None closed Bug 1833288: Fix trusted ca bundle and hash reconciliation 2021-02-10 11:01:32 UTC
Red Hat Bugzilla 1702617 0 unspecified CLOSED oauthproxy HTTP 500 error when logging into Kibana - x509: certificate signed by unknown authority 2021-02-22 00:41:40 UTC
Red Hat Knowledge Base (Solution) 4896741 0 None None None 2020-05-26 15:22:35 UTC
Red Hat Knowledge Base (Solution) 5000761 0 None None None 2020-05-29 06:47:20 UTC
Red Hat Product Errata RHBA-2020:2445 0 None None None 2020-06-17 22:26:25 UTC

Description rdomnu 2020-05-08 10:33:09 UTC
Description of problem: Encountering https://bugzilla.redhat.com/show_bug.cgi?id= 1766187 in 4.4. The problem has already been fixed in 4.3

Version-Release number of selected component (if applicable): 4.4

Steps to Reproduce:
1. Install ClusterLogging with 4.4 subscription channel. CSV is clusterlogging.4.4.0-202004261927. The cluster is using a custom CA bundle.
2. Create ClusterLogging resource
3. Try to login to Kibana using Oauth

Actual results:
HTTP error 500

Logs Kibana Oauth proxy:
2020/05/08 07:15:26 oauthproxy.go:645: error redeeming code (client: Post https://oauth-openshift.apps.dx01.od.sdx.corp/oauth/token: x509: certificate signed by unknown authority
2020/05/08 07:15:26 oauthproxy.go:438: ErrorPage 500 Internal Error Internal Error

Expected results:
Login to Kibana succeeds.

Additional info:
Kibana CM trusted ca bundle is created

─➤  oc get cm kibana-trusted-ca-bundle
NAME                       DATA   AGE
kibana-trusted-ca-bundle   1      2m58s

However it is not mounted in Kibana deployment.

    - name: kibana
        secretName: kibana
        defaultMode: 420
    - name: kibana-proxy
        secretName: kibana-proxy
        defaultMode: 420
    - name: kibana-token-9pswp
        secretName: kibana-token-9pswp
        defaultMode: 420

Comment 1 rdomnu 2020-05-08 11:13:22 UTC
Just another comment:
After reverting to the Subscription/CSV version 4.3 and reinstalling cluster logging, the ca bundle configmap is mounted to Kibana deployment and authentication works

Comment 2 Periklis Tsirakidis 2020-05-26 15:22:35 UTC
*** Bug 1838770 has been marked as a duplicate of this bug. ***

Comment 6 Nicolas Nosenzo 2020-05-29 06:33:59 UTC
Manually mounting the volume should just work as a workaround: https://access.redhat.com/solutions/5000761

Comment 7 Anping Li 2020-06-02 11:56:29 UTC
verified on clusterlogging.4.4.0-202005301254

Comment 12 errata-xmlrpc 2020-06-17 22:26:05 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.