-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Che server pod fails to connect to keycloak with self-signed TLS cert #17597
Comments
@jwwaltoncredera
|
|
@jwwaltoncredera
If you would like to install the latest stable version, pls do
|
@tolusha
I didn't do any pre-setup of cert-manager or the accompanying certs in April, I let chectl handle that. Is creating the self-signed-certificate ahead of time required? |
After deleting the server install and upgrading to stable it worked.
seems like this might be another issue as I would expect the default behavior reuse an existing namespace not error out the installer.
|
@jwwaltoncredera |
I close this issue since everything works now. |
Describe the bug
Have been testing Che since April. Wanted to upgrade Che to the latest version.
After deleting existing Che install with
chectl server:delete
and trying to reinstall withchectl server:start --platform=k8s --installer=helm --domain=projectname-eks.myorg.com --multiuser --self-signed-cert -i quay.io/eclipse/che-server:7.16.2
the Che server install fails to with a timeout.In the logs, it is failing to retrieve the OpenID config
Error injecting constructor, java.lang.RuntimeException: Exception while retrieving OpenId configuration from endpoint: https://keycloak-che.projectname-eks.myorg.com/auth/realms/che/.well-known/openid-configuration
which seems to be caused by the Che server not trusting the certificateCaused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
.The cert-manager CA is the one that was installed in April during the initial setup of Che.
I am able to reach the https://keycloak-che.projectname-eks.myorg.com/auth/realms/che/.well-known/openid-configuration endpoint from a browser with the CA cert installed. I can also curl the endpoint from another pod in the cluster (if I ignore the cert).
Che version
I've tried both.
Steps to reproduce
chectl server:delete
on working server installationchectl server:start --platform=k8s --installer=helm --domain=projectname-eks.myorg.com --multiuser --self-signed-cert -i quay.io/eclipse/che-server:7.16.2
on same eks clusterExpected behavior
Che server is able to retrieve the keycloak info with the self-signed cert
Runtime
Server Version: version.Info{Major:"1", Minor:"16+", GitVersion:"v1.16.8-eks-fd1ea7", GitCommit:"fd1ea7c64d0e3ccbf04b124431c659f65330562a", GitTreeState:"clean", BuildDate:"2020-05-28T19:06:00Z", GoVersion:"go1.13.8", Compiler:"gc", Platform:"linux/amd64"}
)oc version
)minikube version
andkubectl version
)minishift version
andoc version
)docker version
andkubectl version
)Screenshots
Installation method
Environment
Eclipse Che Logs
Additional context
The text was updated successfully, but these errors were encountered: