Search code examples
kubernetesroutesssl-certificateopenshiftwebsphere-liberty

OpenShift edge TLS termination route does not work. CWWKO0801E: Unable to initialize SSL connection


Can anyone pls help me with Open-Shift Routes?

I have setup a Route with Edge TLS termination, calls made to the service endpoint (https://openshift-pmi-dev.apps.vapidly.os.fyre.ibm.com) results in:

502 Bad Gateway
The server returned an invalid or incomplete response.

Logs from the pod has the below error I make a REST call using the endpoints

CWWKO0801E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
    at com.ibm.jsse2.c.a(c.java:6)
    at com.ibm.jsse2.as.a(as.java:532)
    at com.ibm.jsse2.as.unwrap(as.java:580)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:5)
    at com.ibm.ws.channel.ssl.internal.SSLConnectionLink.readyInbound(SSLConnectionLink.java:515)

Default Passthrough route termination works!, but this does not let me specify Path Based Routes. Hence trying to use Route with Edge TLS Termination I am trying to route traffic from /ibm/pmi/service to apm-pm-api-service, and /ibm/pmi to apm-pm-ui-service using a single hostname https://openshift-pmi-dev.apps.vapidly.os.fyre.ibm.com.

I have SSL certs loaded into the edge route, liberty service uses the same certs via secrets defined in the deployment.yaml.

I am unable to identify the root cause of this SSL related error, is this coming from the wlp liberty application server or an issue with openshift routes?

Any suggestions on how to get the liberty application working.

Thanks for your help in advance!

Attaching the route.yaml

kind: Route
apiVersion: route.openshift.io/v1
metadata:
  name: openshift-pmi-dev
  namespace: default
  selfLink: /apis/route.openshift.io/v1/namespaces/default/routes/openshift-pmi-dev
  uid: 9ba296f6-1611-11ea-a1ab-0a580afe00ab
  resourceVersion: '6819345'
  creationTimestamp: '2019-12-03T21:12:26Z'
  annotations:
    haproxy.router.openshift.io/balance: roundrobin
    haproxy.router.openshift.io/hsts_header: max age=31536000;includeSubDomains;preload
spec:
  host: openshift-pmi-dev.apps.vapidly.os.fyre.ibm.com
  subdomain: ''
  path: /ibm/pmi/service
  to:
    kind: Service
    name: apm-pm-api-service
    weight: 100
  port:
    targetPort: https
  tls:
    termination: edge
    certificate: |
      -----BEGIN CERTIFICATE-----
      <valid cert>
      -----END CERTIFICATE-----
    key: |
      -----BEGIN RSA PRIVATE KEY-----
      <valid cert>
      -----END RSA PRIVATE KEY-----
    caCertificate: |
      -----BEGIN CERTIFICATE-----
      <valid cert>
      -----END CERTIFICATE-----
    insecureEdgeTerminationPolicy: Redirect
  wildcardPolicy: None
status:
  ingress:
    - host: openshift-pmi-dev.apps.vapidly.os.fyre.ibm.com
      routerName: default
      conditions:
        - type: Admitted
          status: 'True'
          lastTransitionTime: '2019-12-03T21:12:26Z'
      wildcardPolicy: None
      routerCanonicalHostname: apps.vapidly.os.fyre.ibm.com

Changing the Route to Re-encryte, results in Application is not available 502 error. It seems like the requests are not reaching the service.

With reencrypt termination route


Solution

  • Edge termination means http (plaintext) to the back end service, but your route goes out of its way to send http to the https port.

    Either drop the port:https or use 'reencrypt' termination instead of 'edge'