Configure named certificate for web console in OCP 3

Resolution

The values for openshift_master_cluster_public_hostname and openshift_master_cluster_hostname must be different to configure the named certificates for web-console otherwise the named certificates will fail.

During OCP deployment

• Add this variable to the inventory.

  openshift_master_named_certificates=[{"certfile": "/path/to/certificate.crt", "keyfile": "/path/to/key.key", "names": ["public.hostname.com"], "cafile": "/path/to/custom-ca.crt"}]
  

  • The names option in the above variable must contain the same value to that of openshift_master_cluster_public_hostname.

  • After the deployment, check /etc/origin/master/master-config.yaml file on all master nodes contains the correct configuration under servingInfo section as per the documentation.

  • If it is not, then do it manually on all the master nodes and restart the API and controllers as well.

  # /usr/local/bin/master-restart api
  # /usr/local/bin/master-restart controllers
  

After OCP deployment

• Configure the certificates after deployment.

  • Create a directory named_certificates on all the master nodes.

  # mkdir /etc/origin/master/named_certificates/
  

  • Copy the named certificate and key file to that new directory.

  # cp named-cert.crt named-key.key /etc/origin/master/named_certificates/
  

  • Make the required configuration changes under servingInfo section in /etc/origin/master/master-config.yaml file on all master nodes as per the documentation.

  • Append the CA certificate content of named certificates to the file /etc/origin/master/ca-bundle.crt on all the master nodes.

  # cat named-ca.crt >> /etc/origin/master/ca-bundle.crt
  

  • Restart the API and controllers on all the master nodes.

  # /usr/local/bin/master-restart api
  # /usr/local/bin/master-restart controllers