Prometheus oauth-proxy throws 'ErrorPage 500 Internal Error' using a signed certificate from a CA. about oauth-proxy HOT 11 CLOSED

You have to mount in your CA root certificate and then add an entry for -openshift-ca=/certs/your-ca.pem. If I remember correctly by editing the prometheus statefulset.

When the proxy tries to hit the API as in:

018/07/11 05:28:22 provider.go:522: 201 POST https://nonprod1.test.evil.corp.us:8443/apis/authorization.openshift.io/v1/subjectaccessreviews  {"kind":"SubjectAccessReviewResponse","apiVersion":"authorization.openshift.io/v1","namespace":"dummy-uat","allowed":true,"reason":"allowed by openshift authorizer"}
2018/07/11 05:28:22 oauthproxy.go:612: 10.2.2.1:36804 authentication complete Session{[email protected] token:true}

It throws the x509: certificate signed by unknown authority error because the CA that signed nonprod1.test.evil.corp.us is not trusted.

Adding the CA Root from /opt/certs/RootCA04.crt (from nonprod1) solved this.

from oauth-proxy.

If you are troubleshooting and/or don't have the certs, you can use the - -skip-auth-regex= arg and add the endpoints you need.

example:

- -skip-auth-regex=^/graph.*
- -skip-auth-regex=^/targets
- -skip-auth-regex=^/status
- -skip-auth-regex=^/config
- -skip-auth-regex=^/

Obviously not for prod :)

btw, - -ssl-insecure-skip-verify doesn't work.

from oauth-proxy.

Fixed the client side x509 issue.

2018/02/21 15:43:46 oauthproxy.go:582: error redeeming code (client:10.1.2.1:53068): Post https://a.example.domain:8443/oauth/token: x509: certificate signed by unknown authority
2018/02/21 15:43:46 oauthproxy.go:399: ErrorPage 500 Internal Error Internal Error

Problem was that the cert chain in the browser was incomplete.

Now I keeping getting:

oauthproxy.go:657 x.x.x.x:5xxxx Cookie "_oauth_proxy" not present

Any thoughts? bearer token / sa related?
Maybe it's best to open a new issue and close this one.

from oauth-proxy.

@rflorenc that is just logged whenever you authenticate without a cookie. It's caused some confusion so we should probably change or remove it.

from oauth-proxy.

@mrogers950 thanks.

from oauth-proxy.

@rflorenc Could you please give more detailed information about how you did solve the issue? I'm facing the same problem.

from oauth-proxy.

Did you also find out how to solve this from an openshift-ansible point of view?
Is openshift_additional_ca a working option?

from oauth-proxy.

@sspreitzer I didn't try it out.

from oauth-proxy.

I am trying that at the moment, to solve prometheus, kibana and maybe others from a central spot. Will keep you posted.

from oauth-proxy.

@rflorenc openshift_additional_ca solved the problem as well!

Define openshift_additional_ca in your openshift-ansible inventory file with your CA or intermediate CA and it will work!

from oauth-proxy.

from oauth-proxy.