Bug 2003718 - Unknown authority Certificate message after configuring custom non-wildcard oauth routes with servingCertKeyPairSecret TLS cert
Summary: Unknown authority Certificate message after configuring custom non-wildcard ...
Keywords:
Status: CLOSED DUPLICATE of bug 1989055
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.9
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Standa Laznicka
QA Contact: liyao
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-13 14:09 UTC by Sanket N
Modified: 2021-09-13 14:46 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-09-13 14:46:33 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Sanket N 2021-09-13 14:09:24 UTC 
Description of problem:

Configuring custom oauth route with self signed servingCertKeyPairSecret works as expected but the console CO is stuck on the message "x509: certificate signed by unknown authority."


~~~
$ oc login -u user -p pass --certificate-authority=ca.pem
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): y

Login successful.

You have access to 66 projects, the list has been suppressed. You can list all projects with 'oc projects'

Using project "openshift-config-managed".

------------------------------


$ oc get co
NAME                                       VERSION      AVAILABLE   PROGRESSING   DEGRADED   SINCE   MESSAGE
authentication                             4.9.0-fc.1   True        False         False      15m     
baremetal                                  4.9.0-fc.1   True        False         False      6d20h   
cloud-controller-manager                   4.9.0-fc.1   True        False         False      6d20h   
cloud-credential                           4.9.0-fc.1   True        False         False      6d20h   
cluster-autoscaler                         4.9.0-fc.1   True        False         False      6d20h   
config-operator                            4.9.0-fc.1   True        False         False      6d20h   
console                                    4.9.0-fc.1   False       False         False      16m     RouteHealthAvailable: failed to GET route (https://console-openshift-console.apps.sankz.ocphack.com): Get "https://console-openshift-console.apps.sankz.xyz.com": x509: certificate signed by unknown authority
csi-snapshot-controller                    4.9.0-fc.1   True        False         False      6d20h   
dns                                        4.9.0-fc.1   True        False         False      6d20h   
etcd                                       4.9.0-fc.1   True        False         False      6d20h   
image-registry                             4.9.0-fc.1   True        False         False      6d20h   
ingress                                    4.9.0-fc.1   True        False         False      6d20h   
insights                                   4.9.0-fc.1   True        False         False      6d20h   
kube-apiserver                             4.9.0-fc.1   True        False         False      6d20h   
kube-controller-manager                    4.9.0-fc.1   True        False         False      6d20h   
kube-scheduler                             4.9.0-fc.1   True        False         False      6d20h   
kube-storage-version-migrator              4.9.0-fc.1   True        False         False      6d20h   
machine-api                                4.9.0-fc.1   True        False         False      6d20h   
machine-approver                           4.9.0-fc.1   True        False         False      6d20h   
machine-config                             4.9.0-fc.1   True        False         False      6d20h   
marketplace                                4.9.0-fc.1   True        False         False      6d20h   
monitoring                                 4.9.0-fc.1   True        False         False      6d20h   
network                                    4.9.0-fc.1   True        False         False      6d20h   
node-tuning                                4.9.0-fc.1   True        False         False      6d20h   
openshift-apiserver                        4.9.0-fc.1   True        False         False      6d20h   
openshift-controller-manager               4.9.0-fc.1   True        False         False      6d20h   
openshift-samples                          4.9.0-fc.1   True        False         False      6d20h   
operator-lifecycle-manager                 4.9.0-fc.1   True        False         False      6d20h   
operator-lifecycle-manager-catalog         4.9.0-fc.1   True        False         False      6d20h   
operator-lifecycle-manager-packageserver   4.9.0-fc.1   True        False         False      6d20h   
service-ca                                 4.9.0-fc.1   True        False         False      6d20h   
storage                                    4.9.0-fc.1   True        False         False      6d20h   

~~~



Version-Release number of selected component (if applicable):

OCP version: 4.9.0-fc.1   



Steps to Reproduce:

Create custom certificate and use them for the custom oauth route:
 
$ openssl genrsa -out ca.key 2048
$ openssl req -x509 -new -nodes -key ca.key -sha256 -days 7300 -out ca.pem
$ openssl x509 -noout -text -in ca.pem
$ openssl genrsa -out apps.key 2048
$ curl -O https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/openssl.conf
Edit the openssl.conf, set DNS field as your expected custom domain,eg
DNS.1 = *.oauth.custom.sankz.xyz.com

$ openssl req -new -config openssl.conf -key apps.key -out apps.csr

$ openssl x509 -req -CA ca.pem -CAkey ca.key -CAcreateserial -extfile openssl.conf -extensions v3_req -in apps.csr -out apps.crt -days 3650

---

$ ls
apps.crt  apps.csr  apps.key  ca.key  ca.pem  ca.srl  openssl.conf

---

$ oc create secret tls custom-auth-component --cert=apps.crt --key=apps.key -n openshift-config

---

oc edit ingresses.config.openshift.io cluster

spec:
  componentRoutes:
  - hostname: oauth.custom.sankz.xyz.com
    name: oauth-openshift
    namespace: openshift-authentication
    servingCertKeyPairSecret:
      name: custom-auth-component
  domain: apps.sankz.xyz.com




Actual results:

- The authentication works fine with custom oauth route from GUI and CLI.
- console-operator flooding with x509 messages


Expected results:

The Cluster operator x509 messages should be suppressed as the feature is working correctly with self-signed custom certs for oauth route.
Comment 2 Sergiusz Urbaniak 2021-09-13 14:46:33 UTC 

*** This bug has been marked as a duplicate of bug 1989055 ***
Note You need to log in before you can comment on or make changes to this bug.