#8124 communishift API endpoint seems to have an invalid ssl setup
Closed: Fixed 10 months ago by kevin. Opened 11 months ago by dustymabe.

At least that's what my clients are telling me. Either that or the oc login command that the web interface is spitting out is wrong:

$ oc login --token=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx --server=https://api.os.fedorainfracloud.org:6443
The server uses a certificate signed by an unknown authority.
You can bypass the certificate check, but any data you send to the server could be intercepted by others.
Use insecure connections? (y/n): n

error: The server uses a certificate signed by unknown authority. You may need to use the --certificate-authority flag to provide the path to a certificate file for the certificate authority, or --insecure-skip-tls-verify to bypass the certificate check and use insecure connection
s.



$ curl -I 'https://api.os.fedorainfracloud.org:6443' 
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Metadata Update from @kevin:
- Issue priority set to: Waiting on Assignee (was: Needs Review)

11 months ago

I think I'm hitting the same problem, but from a different angle.
oc login works for me (binary built from source, on a non-Fedora host), but then subsequent commands fail with:

Error from server: error dialing backend: remote error: tls: internal error

Can we get someone assigned to this ticket and work on a plan to get it fixed?

Metadata Update from @dustymabe:
- Issue priority set to: Next Meeting (was: Waiting on Assignee)
- Issue tagged with: communishift

10 months ago

It's on my list. I hope to get to it soon (today, early next week). As soon as I start working on it I will assign it to myself.

Sorry for the delay.

It's on my list. I hope to get to it soon (today, early next week). As soon as I start working on it I will assign it to myself.

thanks @kevin

Sorry for the delay.

No need for an apology. We're all doing our best!

I'm digging into this now. It seems something went wrong with cert-manager...

Metadata Update from @kevin:
- Issue assigned to kevin
- Issue priority set to: Waiting on Assignee (was: Next Meeting)

10 months ago

Sadly I made it worse, so I am going to need to poke around more next week.... ;(

ok, thanks to some great help from a OpenShift SRE, I managed to get the namespace cleaned up, the cert-manager operator re-installed and I think all the certs sorted. :)

Please let us know if you still see any issues...

Metadata Update from @kevin:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

10 months ago

For my case, confirmed working.
Both oc login and oc exec do not throw any TLS errors anymore.
Thanks!

ok, thanks to some great help from a OpenShift SRE, I managed to get the namespace cleaned up, the cert-manager operator re-installed and I think all the certs sorted. :)

that's great news! Thanks @kevin

Please let us know if you still see any issues...

Will do

All seems to be working for me!

I have re-encountered this problem again.

Can you check again now?

I have checked now, still:

Error from server: error dialing backend: remote error: tls: internal error

This is something else I think...

~ curl -vvI https://api.os.fedorainfracloud.org:6443 |& grep date:
start date: Sep 12 22:41:22 2019 GMT
expire date: Dec 11 22:41:22 2019 GMT
< date: Fri, 11 Oct 2019 18:46:16 GMT
date: Fri, 11 Oct 2019 18:46:16 GMT

What exact command are you running to get that output?

$ oc logs pod/packit-worker-0
Error from server: Get https://os-node11.fedorainfracloud.org:10250/containerLogs/packit-stg/packit-worker-0/packit-worker-1: remote error: tls: internal error
$ oc rsh pod/packit-worker-0
Error from server: error dialing backend: remote error: tls: internal error

Login to comment on this ticket.

Metadata