x509: certificate signed by unknown authority about oauth-proxy HOT 8 CLOSED

I think I just figured out the theory (why it didn't work).

Lately, our system administrator just replaced the self-signed cert with a commercial one. However, I don't think that the right ca cert has been re-deployed to OpenShift. That's why the container still gets the original self-signed ca cert. Of course, it cannot verify the commercial server certificate.

Regarding the openssl test I posted earlier, I also need to add the -servername parameter (for SNI) to test. It should look like,

openssl s_client -servername openshift.k8s.OURDOMAN.com -connect openshift.k8s.OURDOMAIN.com:8443 -CAfile ca.crt

I will check with our system administrator soon.

from oauth-proxy.

Can you post your fix? I have the same issue. Where did you add the ca file? To named certificates?

from oauth-proxy.

I have found the fix by appending the ca intermediate certificate to the custom cert file.
Here:

namedCertificates:
  - certFile: /etc/origin/master/named_certificates/master_cert.pem

from oauth-proxy.

We found this issue could occur in the Tekton Dashboard on OpenShift after changing the cluster's default ingress certificate which was used by the OpenShift oauth server. The issue seems to be that the oauth-proxy will use the service account certificate /var/run/secrets/kubernetes.io/serviceaccount/ca.crt by default, which works when the oauth server is using the original certificate during installation, but is not updated with the new certificate authority information after making that change.

I think the problem can be worked around by an adjusted configuration of the oauth-proxy container, and using a configmap with an updated certificate bundle populated by OpenShift. After mounting the bundle from the configmap into the container, I found that adding two --openshift-ca arguments works well: one pointing to the (default) certificate at /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, and another pointing to the new certificate bundle.

There is a more detailed patch example in tektoncd/dashboard#1603.

from oauth-proxy.

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

from oauth-proxy.

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

from oauth-proxy.

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

from oauth-proxy.

@openshift-bot: Closing this issue.

from oauth-proxy.