AIOps

Expand all | Collapse all

Certificate problem with certificates in Watson AIOps 2.0 Event Manager on OpenShift 4.7

  • 1.  Certificate problem with certificates in Watson AIOps 2.0 Event Manager on OpenShift 4.7

    IBM Select
    Posted Wed March 31, 2021 09:35 AM
    Hi all,

    I just installed Watson AIOps 2.0 Event Manager (NOI) on an OpenShift 4.7 cluster. Everything installed really nicely (great job, IBM), but my browsers and curl tell me that the server certificates are invalid. I can get around this using the MS Edge browser, but Firefox won't let me just add an exception for the site because HSTS is being enforced.

    I have installed the ingress CA certificate, and that is seen as valid. What's not valid is the server certificate presented by the applications. Specifically, the certificate has a Subject Alternative Name (SAN) valeu of

    DNS_NAME=*.apps.ovv.mynet.foo

    (and I have that wildcard record correctly defined in DNS - I'm using dnsmasq on a Linux machine for my DNS and dhcp).

    However, the URL I need to access is:

    https://netcool.example-noi.apps.ovv.mynet.foo

    In researching a little, I found that a certificate with this SAN is only good for hostnames like "myhost.apps.ovv.mynet.foo", but NOT for hosts in a subdomain like "myotherhost.example-noi.apps.ovv.mynet.foo".

    Are others encountering this problem? Is this an issue with OpenShift 4.7? Is there an easy fix?

    Thanks,
    Frank

    ------------------------------
    Frank Tate
    Gulfsoft Consulting
    ------------------------------


  • 2.  RE: Certificate problem with certificates in Watson AIOps 2.0 Event Manager on OpenShift 4.7

    Posted Thu April 01, 2021 06:06 AM
    @mario schuerewegen ​ Hi Mario, Can you take a look?

    ------------------------------
    VEERAMANI NAMBI
    Offering Manager, GoToMarket - Communities
    IBM
    ------------------------------



  • 3.  RE: Certificate problem with certificates in Watson AIOps 2.0 Event Manager on OpenShift 4.7

    Posted Thu April 01, 2021 06:21 AM

    Hi Frank,
    I was just made aware of your post..

    affraid its a bit of a known issue..

    NOI inserts the namespace into the FQDN/hostnames as a subdomain..

    however standard ingress certificates don't support this :-( ,  as you noticed.

    for normal browser activity , that is not a issue. 

    but it is an issue  if you need to interface (SSL) with the solution.  e.h. API/Rest calls.

    there are 2 solution to this.

    1)if it is just API usage that you need.    i suggest you copy the "route" that you need.  and remove the namespace/subdomain from the new route. (a bit cumbursome if you need multiple routes...-

    2) if you need a more permanent option.  i suggest you create a new ingress certificate that supports BOTH SAN

    *.apps.ovv.mynet.foo

    *.example-noi.apps.ovv.mynet.foo

    https://docs.openshift.com/container-platform/4.1/authentication/certificates/replacing-default-ingress-certificate.html

    but this doesnt say how to create the certificate..

    but a hint could be here:

    https://www.richardwalker.dev/openshift-certificates.html

    hope it helps..

    Mario



    ------------------------------
    mario schuerewegen
    IBM
    Brussels
    (3249) 528-1079
    ------------------------------



  • 4.  RE: Certificate problem with certificates in Watson AIOps 2.0 Event Manager on OpenShift 4.7

    IBM Select
    Posted Thu April 01, 2021 07:04 AM
    Edited by Frank Tate Thu April 01, 2021 07:06 AM
    Thank you very much for the quick reply, Mario. And also thank you for the link to RichardWalker.dev. Now the problem is documented, so hopefully it won't be too painful for the next person.

    ------------------------------
    Frank Tate
    Gulfsoft Consulting
    ------------------------------