deploy signed wildcard cert to OpenShift routers


Splitting this off

We currently have a self-signed cert serving * and LetsEncrypt serving individual route certificates. This has issues and an easy solution would be to acquire and deploy a proper wildcard certificate to secure all routes on the subdomain.


Evgheni Dereveanchin
April 1, 2020, 11:10 PM

Tried applying the new certificate today but had to roll back since the certificate did not match the private key provided

openssl pkey -in -pubout -outform pem | sha256sum
b6f3295f474f95496ce10d3e9980a8ce7d41205c6e0380ed0badc90683e32737 -
openssl x509 -in -pubkey -noout -outform pem | sha256sum
6c7ddfb6842d7b541c93f84b487e8d69882f13edfdbcfa997cac84a67d7c748c -

could you please provide the matching private key or re-key the certificate?

Marc Dequènes (Duck)
April 2, 2020, 12:40 AM

It was indeed a mistake, even the cert name showed it clearly. I replaced the files.

I checked your method to match but this really does not work with any production and working certs I have, even Let’s Encrypt ones, so the recipe needs to be verified.

Evgheni Dereveanchin
April 2, 2020, 10:36 PM

This was just one way of checking cert/key matching I mentioned. Thanks for providing the proper key: the wildacrd has been installed successfully.

Evgheni Dereveanchin
April 2, 2020, 10:37 PM

Added some test routes to confirm the certificate is working properly. Closing the ticket now.
Also sent a patch to drop ACME annotations from TLS routes that our CI creates:

Marc Dequènes (Duck)
April 3, 2020, 4:30 AM

I understood the purpose but it does not work with this recipe. I was interested in taking note of it for the future, so if you get it fixed, please send it to me.



Evgheni Dereveanchin


Evgheni Dereveanchin

Blocked By