Bug 1901379 - tls: unknown certificate error from router
Summary: tls: unknown certificate error from router
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: oauth-apiserver
Version: 4.5
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.7.0
Assignee: Standa Laznicka
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-11-25 01:45 UTC by Seunghwan Jung
Modified: 2024-03-25 17:14 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-12-07 15:23:56 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Seunghwan Jung 2020-11-25 01:45:33 UTC 
Description of problem:

TLS handshake from Router to Qauth is failing on OCP 4.5.

..
openshift-authentication/pods/oauth-openshift-854c86dfff-z4dz7/oauth-openshift/oauth-openshift/logs/current.log:2020-11-17T10:45:58.664527365+09:00 I1117 01:45:58.664471       1 log.go:172] http: TLS handshake error from 172.31.12.1:55708: remote error: tls: unknown certificate
openshift-authentication/pods/oauth-openshift-854c86dfff-z4dz7/oauth-openshift/oauth-openshift/logs/current.log:2020-11-17T10:45:58.666104198+09:00 I1117 01:45:58.666081       1 log.go:172] http: TLS handshake error from 172.31.12.1:55710: remote error: tls: unknown certificate
..

openshift-authentication/pods/oauth-openshift-854c86dfff-z4dz7/oauth-openshift/oauth-openshift/logs/current.log:2020-11-16T01:20:33.825110927+09:00 I1115 16:20:33.825089       1 log.go:172] http: TLS handshake error from 172.31.3.1:41454: remote error: tls: unknown certificate
openshift-authentication/pods/oauth-openshift-854c86dfff-z4dz7/oauth-openshift/oauth-openshift/logs/current.log:2020-11-16T01:20:37.180136872+09:00 I1115 16:20:37.180081       1 log.go:172] http: TLS handshake error from 172.31.3.1:41646: remote error: tls: unknown certificate
openshift-authentication/pods/oauth-openshift-854c86dfff-z4dz7/oauth-openshift/oauth-openshift/logs/current.log:2020-11-16T10:06:59.780621963+09:00 I1116 01:06:59.780563       1 log.go:172] http: TLS handshake error from 172.31.3.1:42900: remote error: tls: unknown certificate
openshift-authentication/pods/oauth-openshift-854c86dfff-z4dz7/oauth-openshift/oauth-openshift/logs/current.log:2020-11-16T10:06:59.811020819+09:00 I1116 01:06:59.810959       1 log.go:172] http: TLS handshake error from 172.31.3.1:42904: EOF
..
~~~~~~~~~~~~~~~~~~~~~

Version-Release number of selected component (if applicable):

172.31.3.1 and 172.31.12.1 are router IPs 

Here you can see 172.31.12.1 is tun0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
10: tun0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 56:f9:42:d7:35:ed brd ff:ff:ff:ff:ff:ff
    inet 172.31.12.1/25 brd 172.31.12.127 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::54f9:42ff:fed7:35ed/64 scope link
       valid_lft forever preferred_lft forever
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

** oc version
Client Version: 4.4.8
Server Version: 4.5.11
Kubernetes Version: v1.18.3+b0068a8


How reproducible:
Always,

Steps to Reproduce:
unknown

Actual results:
There are certificate errors

Expected results:
There should not be certificate errors

Additional info:
Comment 7 Standa Laznicka 2020-11-30 10:20:26 UTC 
They see those errors because they use an outdated client.

*** This bug has been marked as a duplicate of bug 1819688 ***
Comment 11 Standa Laznicka 2020-12-07 15:23:56 UTC 
I was not able to reproduce the issue with the latest oc built from release-4.5 branch. Please make sure every workstation uses updated oc, that should make the issue go away.
Note You need to log in before you can comment on or make changes to this bug.