Inconsistent behavior when checking custom certificates with openssl in OCP4.

Solution Verified - Updated -

Issue

Right now it seems that I can login using the right (custom) certificate. In fact, when doing the check from a master node we got the correct certificate. But when I ask for the certificate chain on the api endpoint (api.ocp4.example.com:6443) from a VM that is not part of the OCP cluster I receive a different certificate:

openssl s_client -showcerts -connect api.ocp4.example.com:6443
[...]
Certificate chain
 0 s:/CN=10.139.0.1
   i:/OU=openshift/CN=kube-apiserver-service-network-signer
[...]
 1 s:/OU=openshift/CN=kube-apiserver-service-network-signer
   i:/OU=openshift/CN=kube-apiserver-service-network-signer
[...]

Environment

OCP4 + openssl tool

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content