Configure named certificate for web console in OCP 3

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Container Platform (OCP)
    • 3.11.x

Issue

  • Configure custom certificate for web-console during deployment.
  • Custom certificate for web-console after deployment.

Resolution

The values for openshift_master_cluster_public_hostname and openshift_master_cluster_hostname must be different to configure the named certificates for web-console otherwise the named certificates will fail.

During OCP deployment

  • Add this variable to the inventory.

    openshift_master_named_certificates=[{"certfile": "/path/to/certificate.crt", "keyfile": "/path/to/key.key", "names": ["public.hostname.com"], "cafile": "/path/to/custom-ca.crt"}]
    
    • The names option in the above variable must contain the same value to that of openshift_master_cluster_public_hostname.

    • After the deployment, check /etc/origin/master/master-config.yaml file on all master nodes contains the correct configuration under servingInfo section as per the documentation.

    • If it is not, then do it manually on all the master nodes and restart the API and controllers as well.

    # /usr/local/bin/master-restart api
    # /usr/local/bin/master-restart controllers
    

After OCP deployment

  • Configure the certificates after deployment.

    • Create a directory named_certificates on all the master nodes.
    # mkdir /etc/origin/master/named_certificates/
    
    • Copy the named certificate and key file to that new directory.
    # cp named-cert.crt named-key.key /etc/origin/master/named_certificates/
    
    • Make the required configuration changes under servingInfo section in /etc/origin/master/master-config.yaml file on all master nodes as per the documentation.

    • Append the CA certificate content of named certificates to the file /etc/origin/master/ca-bundle.crt on all the master nodes.

    # cat named-ca.crt >> /etc/origin/master/ca-bundle.crt
    
    • Restart the API and controllers on all the master nodes.
    # /usr/local/bin/master-restart api
    # /usr/local/bin/master-restart controllers
    

Root Cause

  • The openshift_master_cluster_public_hostname and openshift_master_cluster_hostname are same.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.