Search code examples
sslopenshiftx509certificateopenshift-origincertificate-authority

OpenShift web console with custom TLS certificate chain remains "unsecured"

In OpenShift Origin 3.6, with advanced installation method, I configured custom TLS certificate for the web console and for the router.

For the web console, the parameters I used in the Ansible inventory are:

openshift_master_named_certificates=[{"certfile": "/root/star.paas.certs/star.paas.local.cert.pem", "keyfile": "/root/star.paas.certs/star.paas.local.key.pem", "names": ["master.paas.local"], "cafile": "/root/star.paas.certs/ca-chain.cert.pem"}]
openshift_master_overwrite_named_certificates=true

And for the router, the parameters are:

openshift_hosted_router_certificate={"certfile": "/root/star.paas.certs/star.paas.local.cert.pem", "keyfile": "/root/star.paas.certs/star.paas.local.key.pem", "cafile": "/root/star.paas.certs/ca-chain.cert.pem"}

On the TLS certificate side, a custom Certificate Authority has been created and saved to file ca-chain.cert.pem. And a custom Certificate based on this CA has been generated (star.paas.local.key.pem and star.paas.local.cert.pem).

As you may have noticed, I use the same certificate chain for the OpenShift web console (served in my case at master.paas.local:8443) and for the embedded router (for apps routed as https://*.paas.local).

Then, when I want to access the web console, the prerequisite is to import the root CA into my browser.

The point is: when I use Chromium and go to master.paas.local:8443, the connection is considered unsecured (NET::ERR_CERT_AUTHORITY_INVALID). And when I ask for more information, I notice that the certificate hierarchy is incomplete:

Certificate details in Chromium

Interestingly, this does not happen in Firefox, which is the only browser known to me that behaves the expected way:

Certificate details in Firefox

On the opposite, all the TLS-secured public routes served by OpenShift for my apps are considered secured by all the browsers I tested, with the very same certificate chain as the one I use for the web console.

Is there a working way to make openshift(-ansible) take my custom CA into account when serving the web console in all modern browsers? It seems to me that OpenShift web console does not send root/intermediate CA during TLS handshake.

Solution

  • The ansible playbook appears to support providing a cafile for named_certificates, and places the files. However the running system doesn't support the cafile key, so it is ignored. If you provide the certfile as a full bundle (bundle+cert) then it should start working.

    I submitted a PR to the playbook to handle this task.