"oc new-app" command fails with the message: Failed to push image: Get https://172.30.207.155:5000/v1/_ping: x509: cannot validate certificate for 172.30.207.155 because it doesn't contain any IP SANs

Solution Verified - Updated -

Issue

When the "oc new-app" command is run to deploy new applications inside a project in OpenShift and it uses a BuildConfig, it will create ImageStream objects pointing to the images created and pushed to the internal registry.

If the ImageStreams created reference the internal registry service IP address instead of its DNS name, the "oc new-app" command will access the registry using that IP:

# oc get is
NAME        DOCKER REPO                                   TAGS      UPDATED
plscoring   172.30.207.155:5000/uat-plscoring/plscoring

If the x509 certificate used by the registry does not include that IP in the SAN (Subject Alternative Name) section:

# openssl x509 -in registry.crt -text -noout
Certificate:
    Data:
...
Subject: C=EN, ST=Fridonia, L=Freetown, O=Acme NV, OU=ITS/DCI, CN=registry.internal.frid.en
...
X509v3 extensions:
            X509v3 Subject Alternative Name:
                         DNS:registry.internal.frid.en, DNS:docker-registry.default.svc.cluster.local, DNS:docker-registry.default.svc

When "oc new-app" tries to push the newly created image to the registry using the IP address instead of the service DNS name, the certificate is considered invalid and the following error message is shown:

error: build error: Failed to push image: Get https://172.30.207.155:5000/v1/_ping:  x509: cannot validate certificate for 172.30.207.155 because it doesn't contain any IP SANs

Environment

  • Red Hat Openshift Container Platform
    • 3.7

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content