"oc new-app" command fails with the message: Failed to push image: Get https://172.30.207.155:5000/v1/_ping: x509: cannot validate certificate for 172.30.207.155 because it doesn't contain any IP SANs
Issue
When the "oc new-app" command is run to deploy new applications inside a project in OpenShift and it uses a BuildConfig, it will create ImageStream objects pointing to the images created and pushed to the internal registry.
If the ImageStreams created reference the internal registry service IP address instead of its DNS name, the "oc new-app" command will access the registry using that IP:
# oc get is
NAME DOCKER REPO TAGS UPDATED
plscoring 172.30.207.155:5000/uat-plscoring/plscoring
If the x509 certificate used by the registry does not include that IP in the SAN (Subject Alternative Name) section:
# openssl x509 -in registry.crt -text -noout
Certificate:
Data:
...
Subject: C=EN, ST=Fridonia, L=Freetown, O=Acme NV, OU=ITS/DCI, CN=registry.internal.frid.en
...
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:registry.internal.frid.en, DNS:docker-registry.default.svc.cluster.local, DNS:docker-registry.default.svc
When "oc new-app" tries to push the newly created image to the registry using the IP address instead of the service DNS name, the certificate is considered invalid and the following error message is shown:
error: build error: Failed to push image: Get https://172.30.207.155:5000/v1/_ping: x509: cannot validate certificate for 172.30.207.155 because it doesn't contain any IP SANs
Environment
- Red Hat Openshift Container Platform
- 3.7
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.