Splitting this off
We currently have a self-signed cert serving *.apps.ovirt.org and LetsEncrypt serving individual route certificates. This has issues and an easy solution would be to acquire and deploy a proper wildcard certificate to secure all routes on the subdomain.
Tried applying the new certificate today but had to roll back since the certificate did not match the private key provided
openssl pkey -in test_web_apps.okd.osci.io.key -pubout -outform pem | sha256sum
openssl x509 -in test_web_apps.okd.osci.io.crt -pubkey -noout -outform pem | sha256sum
could you please provide the matching private key or re-key the certificate?
It was indeed a mistake, even the cert name showed it clearly. I replaced the files.
I checked your method to match but this really does not work with any production and working certs I have, even Let’s Encrypt ones, so the recipe needs to be verified.
This was just one way of checking cert/key matching I mentioned. Thanks for providing the proper key: the wildacrd has been installed successfully.
Added some test routes to confirm the certificate is working properly. Closing the ticket now.
Also sent a patch to drop ACME annotations from TLS routes that our CI creates: https://gerrit.ovirt.org/108183
I understood the purpose but it does not work with this recipe. I was interested in taking note of it for the future, so if you get it fixed, please send it to me.