How do I provide my certificate chain to my OpenShift online application.

Solution Verified - Updated -

Environment

  • Openshift Online

Issue

  • I have created an application and OpenShift SSL certificate and this works, however my customers are reporting that they do not trust the SSL connection.
  • Why do we get the SSL error on some devices when accessing application deployed on Openshift:
 ERR_CERT_AUTHORITY_INVALID
  • Why do we get error as below in Firefox when accessing application deployed on Openshift :
sec_error_unknown_issuer
  • SSL certificate error in Openshift
  • I am having trouble with my custom SSL cert and Firefox browsers. I added the custom SSL cert and built the trust bundle, but essentially my site is reporting the error in this comodo knowledge base article
  • Problem with my SSL certificate.

Resolution

  • You can provide a certificate chain and certificate file by concatenating your bundle file with your certificate file and creating a unified bundle. This is done by copying all of the contents from your chain file and paste them directly below the -----END CERTIFICATE----- line in your certificate.

    • You will often end up with 3 certificates in a single file layered as follows:
      • Certificate, Intermediary Certificate, Root Certificate.

Steps:

  • Remove the certificate and key currently associated with your alias:
    rhc alias-delete-cert <application> <alias>
  • Combine your Certificate, Intermediary Certificate, and Root Certificate.
  1. Open your certificate and issuer chain file in a text editor.
  2. Copy all of the contents from your chain file and paste them directly below the -----END CERTIFICATE----- line in your certificate.
  3. Save the certificate file, it is best to keep the chain in the following order
    • Certificate -> Intermediary Certificate -> Root Certificate
  4. Use this file to upload as the certificate following Knowladge Base Article 397413
rhc alias-update-cert <application> <alias> --certificate FILE --private-key FILE [--passphrase PASSPHRASE]

Root Cause

  • The help documentation for rhc alias update-cert states the following:
    # rhc alias update-cert -h
    Usage: rhc alias-update-cert <application> <alias> --certificate FILE --private-key FILE [--passphrase PASSPHRASE]

    Add or update the SSL certificate for your custom domain alias to allow secure HTTPS communication with your app.

    Certificate files must be Base64 PEM-encoded and typically have a .crt or .pem extension. You may combine multiple certificates and certificate chains in a single file. 
    The RSA or DSA private key must always be provided in a separate file.

    Pass phrase for the certificate private key is required if the provided private key is encrypted.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.