deploy signed wildcard cert to OpenShift routers

Description

Splitting this off

We currently have a self-signed cert serving *.apps.ovirt.org and LetsEncrypt serving individual route certificates. This has issues and an easy solution would be to acquire and deploy a proper wildcard certificate to secure all routes on the subdomain.

Activity

Show:
Evgheni Dereveanchin
April 1, 2020, 11:10 PM

Tried applying the new certificate today but had to roll back since the certificate did not match the private key provided

openssl pkey -in test_web_apps.okd.osci.io.key -pubout -outform pem | sha256sum
b6f3295f474f95496ce10d3e9980a8ce7d41205c6e0380ed0badc90683e32737 -
openssl x509 -in test_web_apps.okd.osci.io.crt -pubkey -noout -outform pem | sha256sum
6c7ddfb6842d7b541c93f84b487e8d69882f13edfdbcfa997cac84a67d7c748c -

could you please provide the matching private key or re-key the certificate?

Marc Dequènes (Duck)
April 2, 2020, 12:40 AM

It was indeed a mistake, even the cert name showed it clearly. I replaced the files.

I checked your method to match but this really does not work with any production and working certs I have, even Let’s Encrypt ones, so the recipe needs to be verified.

Evgheni Dereveanchin
April 2, 2020, 10:36 PM

This was just one way of checking cert/key matching I mentioned. Thanks for providing the proper key: the wildacrd has been installed successfully.

Evgheni Dereveanchin
April 2, 2020, 10:37 PM

Added some test routes to confirm the certificate is working properly. Closing the ticket now.
Also sent a patch to drop ACME annotations from TLS routes that our CI creates: https://gerrit.ovirt.org/108183

Marc Dequènes (Duck)
April 3, 2020, 4:30 AM

I understood the purpose but it does not work with this recipe. I was interested in taking note of it for the future, so if you get it fixed, please send it to me.

Done

Assignee

Evgheni Dereveanchin

Reporter

Evgheni Dereveanchin

Blocked By

None

Priority

Medium
Configure