-
Notifications
You must be signed in to change notification settings - Fork 2.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Build full chains out of named_certificates that come with CAs #4920
Conversation
Can one of the admins verify this patch?
|
mode: 0600 | ||
with_items: "{{ named_certificates | oo_collect('cafile') }}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume oo_collect was used in place of the when statements that I implemented. I'm not sure why it would be preferred, but in moving to the assemble module in ansible I needed access to more than just the cafile in the dictionary.
Can one of the admins verify this patch?
|
mode: 0600 | ||
with_items: "{{ named_certificates | oo_collect('cafile') }}" | ||
validate: "openssl verify %s" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this validate is too strict and would only work if we already trusted the root? Using something like this guide to roll your own chain would be a valid configuration for a cluster but would require that clients trust the root.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reason i went this route was that ither the CAfile provided is a fully trusted bundle or the system trusts the CA already. Otherwise you arent necessarily working with a working cert chain.
Can one of the admins verify this patch?
|
1 similar comment
Can one of the admins verify this patch?
|
@abutcher is this a stale/ not needed PR ? |
@DanyC97 Yeah this one is stale. We can configure a named certificate with an intermediate certificate authority by putting the files together ourselves before passing to openshift-ansible but there are sharp edges. |
@abutcher thank you for response. By any chance you have the steps of how you guys created the test certs ? Reason i'm asking because i spent time to create ssl certs for a private/ internal domain using openssl and sadly web console doesn't use it. Now i cannot use let's encrypt or anything like this since is not a real domain, so at this point i'm not sure if is a prob with openshift or the certs i created. |
@DanyC97 I created my certs using this guide the last time I tested intermediate CA. If you use that guide make sure that the CAs don't have passphrases (omit |
@abutcher came across that guide and this time i followed it however i still miss one piece of the puzzle ... so the steps i've done were:
however accessing the web console is still retrieving the default self-signed master certificate. Even when doing any thoughts ? P.S - note i'm on 3.7.2 origin ... |
i found out from @vrutkovs that i need to run the And |
@DanyC97 Ah, I wasn't sure what the goal was but replacing all certificates should not be necessary to replace or add a new named certificate as long as the internal and external (public) cluster hostnames are different. Do you have an issue where you're discussing this? I think we've moved away from the PR discussion. |
I've spent that last little bit trying to figure out why our custom CA wasn't always working. Turns out on 2 of our 3 masters it just wasn't behaving properly. @abutcher and @damaestro helped me troubleshoot.
We were validating with
and
We could never find out why master1 was working, but when we put the full chain (cert+int+root) in the certfile, things started working properly.
So after a quick convo on how to just make this happen, without changing people's inventory files, i created this change set.
You can validate this off to the side fairly easy with this attached playbook.
named_certs.yml.txt