Inconsistent behavior when checking custom certificates with openssl in OCP4.
Issue
Right now it seems that I can login using the right (custom) certificate. In fact, when doing the check from a master node we got the correct certificate. But when I ask for the certificate chain on the api endpoint (api.ocp4.example.com:6443) from a VM that is not part of the OCP cluster I receive a different certificate:
openssl s_client -showcerts -connect api.ocp4.example.com:6443
[...]
Certificate chain
0 s:/CN=10.139.0.1
i:/OU=openshift/CN=kube-apiserver-service-network-signer
[...]
1 s:/OU=openshift/CN=kube-apiserver-service-network-signer
i:/OU=openshift/CN=kube-apiserver-service-network-signer
[...]
Environment
OCP4 + openssl tool
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.