-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
che-operator auto-grabbing of self-signed certificate does not work correctly #14175
Comments
Seems pretty complicated issue and I don't think we can do it properly in 7.0 release... |
yes, a user has to pre-created secret with CA certificate before deploying Che. I do not think that it's documented somewhere but a workaround exists. |
@sleshchenko Hello, can you explain what is the workaround? |
So, user should execute
and only then deploy Che with operator, like
|
removed |
@mmorhun |
duplicate |
Describe the bug
che-operator auto-grabbing of self-signed certificate does not work correctly.
Che version
Steps to reproduce
Generate CA and TLS certfificate:
Configure Router with generated certificate:
2.1
2.2 Deploy Che Server itself
Expected behavior
Che Server is run and it's possible to start workspace and use its functionality (like run task)
Actual
Che Server is run successfully but after starting of workspace it's not possible to run tasks, it's caused by incorrect self-signed certificate, so Theia is not able to requests WS Master.
Theia log
Runtime
kubectl version
)oc version
)minikube version
andkubectl version
)minishift version
andoc version
)docker version
andkubectl version
)Screenshots
Installation method
Environment
Additional context
Note that if you create self-signed-cert based on rootCA before deploying Che
the che-operator will use it instead of auto-grabbing and Che Server and workspaces will work correctly.
I've already investigated this issue a bit and discovered that it's like a best practice to generate CA certificate, propagate it to clients to configure their trust stores.
And generate another non-CA certificate based on CA for establishing https connection.
See https://wiki.mozilla.org/SecurityEngineering/x509Certs
https://gist.github.com/fntlnz/cf14feb5a46b2eda428e000157447309
Looks like Java and Go does not have any issues with using non-CA certificate as trusted,
but the current implementation of Theia - has.
Possible solutions:
So, Che Server may inform Theia which cert type is used, or maybe Theia may decode it by itself.
Note that I took a look on
curl
command and there is no ability to use non-CA cert for trusting. The only option that can be usedcacert
The text was updated successfully, but these errors were encountered: