Bug 1885343 - Console doesn't load in iOS Safari when using self-signed certificates
Summary: Console doesn't load in iOS Safari when using self-signed certificates
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.6
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.7.0
Assignee: Rastislav Wagner
QA Contact: Yadan Pei
URL:
Whiteboard:
Depends On:
Blocks: 1885442
TreeView+ depends on / blocked
 
Reported: 2020-10-05 16:31 UTC by Samuel Padgett
Modified: 2021-02-24 15:23 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: iOS does not support connecting via secured Websocket with self-signed certificate Consequence: Console shows white screen Fix: If wss connection is not successful fallback to https Result: Console loads properly
Clone Of:
Environment:
Version: 4.6.0-0.nightly-2020-10-03-051134 Cluster ID: c7f3e0ae-f822-422d-bb6c-8ccb9b2cb318 Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0) Gecko/20100101 Firefox/81.0
Last Closed: 2021-02-24 15:23:10 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift console pull 6778 0 None closed Bug 1885343: Fallback to GQL HTTP on iOS devices 2020-12-17 06:19:22 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:23:51 UTC

Description Samuel Padgett 2020-10-05 16:31:58 UTC
If iOS Safari does not trust the console certificate, it blocks WebSockets. This causes console to only show a white screen since we rely on WebSockets for API discovery using GraphQL.

Comment 2 Yadan Pei 2020-10-13 03:17:48 UTC
=== Below are steps checked against 4.7.0-0.ci-2020-10-12-222453

1. Add self-signed certificate using below steps

Part I: Set a custom default certificate for ingress
1. Create a Secret resource containing the custom certificate in the openshift-ingress namespace using the generated apps.crt and apps.key files in Setup(refer to steps in Setup)
$ oc --namespace openshift-ingress create secret tls custom-certs-default --cert=/path/to/self-signed/apps.crt --key=/path/to/self-signed/apps.key
secret/custom-certs-default created
2. Update the IngressController CR to reference the new certificate secret:
$ oc patch --type=merge --namespace openshift-ingress-operator ingresscontrollers/default   --patch '{"spec":{"defaultCertificate":{"name":"custom-certs-default"}}}'
ingresscontroller.operator.openshift.io/default patched
3. Verify the update was effective:
$ oc get --namespace openshift-ingress-operator ingresscontrollers/default --output jsonpath='{.spec.defaultCertificate}'

Part II: Add your privately signed CA certificates as trustedCA
4. Create a ConfigMap with root CA pem
$ oc create configmap user-ca-bundle --from-file=ca-bundle.crt=/path/to/ca.pem -n openshift-config
5. Edit Proxy project spec.trustedCA to include your privately signed CA certificates
$ oc edit proxy cluster
.....
spec:
  trustedCA:
    name: user-ca-bundle
Part III: Wait until all ingress, console pods are restarted
Part IV: Verify new console is working correctly, I can verify that new console is using self-signed certificate by viewing certificate info in browser address bar with Chrome/FF/MacOS Safari

2. Then visit console route on iOS Safari, didn't trust the certificate and a blank page is returned
A dialog will be prompted:
Cannot Verify Server Identify
The identity of "console-openshift-console.apps.qe-xxxx.qe.devcluster.openshift.com" cannot be verified by Safari. Review the certificate details to continue

Click 'Continue'(didn't view Details and Trust), then a blank page is returned



Then I tried to visit a 46 cluster with default signing certificate, also didn't trust the certificate, a blank page is returned



@Rastislav Wagner

Could you help confirm my verification steps and let me know if there is anything wrong.

Comment 3 Rastislav Wagner 2020-10-20 07:30:58 UTC
maybe the CI build does not contain the fix yet ?
Your steps looks good to me..

I went with this guide https://github.com/openshift/console#deploying-a-custom-image-to-an-openshift-cluster - deployed my own custom image based on latest master and iOS worked.

Comment 4 Yadan Pei 2020-10-21 09:46:15 UTC
Moving to VERIFIED since iPhone6, 11 and iPad 6 works after following steps in comment 2 to specify custom certificate 

Verified on 4.7.0-0.nightly-2020-10-21-001511

Comment 7 errata-xmlrpc 2021-02-24 15:23:10 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633


Note You need to log in before you can comment on or make changes to this bug.