When the "oc new-app" command is run to deploy new applications inside a project in OpenShift and it uses a BuildConfig, it will create ImageStream objects pointing to the images created and pushed to the internal registry.
If the ImageStreams created reference the internal registry service IP address instead of its DNS name, the "oc new-app" command will access the registry using that IP:
# oc get is NAME DOCKER REPO TAGS UPDATED plscoring 172.30.207.155:5000/uat-plscoring/plscoring
If the x509 certificate used by the registry does not include that IP in the SAN (Subject Alternative Name) section:
# openssl x509 -in registry.crt -text -noout Certificate: Data: ... Subject: C=EN, ST=Fridonia, L=Freetown, O=Acme NV, OU=ITS/DCI, CN=registry.internal.frid.en ... X509v3 extensions: X509v3 Subject Alternative Name: DNS:registry.internal.frid.en, DNS:docker-registry.default.svc.cluster.local, DNS:docker-registry.default.svc
When "oc new-app" tries to push the newly created image to the registry using the IP address instead of the service DNS name, the certificate is considered invalid and the following error message is shown:
error: build error: Failed to push image: Get https://172.30.207.155:5000/v1/_ping: x509: cannot validate certificate for 172.30.207.155 because it doesn't contain any IP SANs
- Red Hat Openshift Container Platform
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.