Error: Requested host www.example.com was rejected by the router on RHOCP Console
Environment
- Red Hat OpenShift Container Platform (RHOCP)
- 3
- 4
Issue
- Getting the following error on the OCP console
The requested host www.example.com was rejected by the router. Reason: - spec.tls.key: Invalid value: "redacted key data": tls: failed to find PEM block with type ending in "PRIVATE KEY" in key input after skipping PEM blocks of the following types: [CERTIFICATE CERTIFICATE].
- An authentication POD is crashlooping with the error log:
2022-04-06T00:08:50.632680055Z I0406 00:08:50.630161 1 dynamic_serving_content.go:111] Loaded a new cert/key pair for "serving-cert::/var/config/system/secrets/v4-0-config-system-serving-cert/tls.crt::/var/config/system/secrets/v4-0-config-system-serving-cert/tls.key"
2022-04-06T00:08:50.632680055Z F0406 00:08:50.630572 1 cmd.go:49] failed to load SNI cert and key: tls: failed to find PEM block with type ending in "PRIVATE KEY" in key input after skipping PEM blocks of the following types: [CERTIFICATE CERTIFICATE]
Resolution
- Check the SSL certificate format applied to the route.
- Certificate and Key must start and end in the proper PEM format.
- PEM files use ASCII encoding, so you can open them in any text editor such as notepad, MS word etc. Each certificate in the PEM file is contained between the
-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----statements. The private key is contained between the-----BEGIN RSA PRIVATE KEY-----and-----END RSA PRIVATE KEY-----statements. The CSR is contained between the-----BEGIN CERTIFICATE REQUEST-----and-----END CERTIFICATE REQUEST-----statements. - Apply the new certificates again.
Root Cause
This issue is usually caused by the wrong format when storing the TLS key in the secret.
RHOCP is sensible to any additional space, or newline in the secret value.
Diagnostic Steps
In regards to the Authentication POD issue, the message in the log before the Fatal message should identify the related secret and (usually v4-0-config-system-serving-cert). This key secret needs to be verified to ensure that no additional undesired characters included in the Key:
$ oc get secret -n openshift-authentication v4-0-config-system-serving-cert -o json | jq -r '.data."tls.key"' | base64 -d | cat -A
-----BEGIN RSA PRIVATE KEY-----$
MIIEowIBAAKCAQEAvnT9ucKVMJdb8DuMueLtYcLpzZr3firRamIkhgAK8H1LBmYu$
[... Omitted data ...]
3hSZXYiW5qP4wZHfWxoQQ89ebBuHsN9OwWzvHGjlGhglqt/vASpA$
-----END RSA PRIVATE KEY-----$
The PRIVATE KEY header and footer should be present, all lines should end with a $ sign, and no extra empty line should be displayed.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments