openshift-acme
openshift-acme copied to clipboard
tnozicka
caCertificate not removed/updated (ExtendedValidationFailed)
I enabled kubernetes.io/tls-acme on a route that so far used a non-ACME certificate. Doing so, however, resulted ExtendedValidationFailed error.
As far as I can tell this is caused by the fact that, for the old cert, spec.tls.caCertificate was set to the certificate authority. When openshift-acme issues a certificate it includes the CA cert in spec.tls.certificate however. This causes, rightfully, a validation error since there are now two CA certs in the chain. I believe openshift-acme should either a) remove spec.tls.caCertificate if it exists or b) move the CA cert from spec.tls.certificate to spec.tls.caCertificate.
Route before enabling ACME:
$ oc get route nice -o yaml
apiVersion: v1
kind: Route
metadata:
annotations:
haproxy.router.openshift.io/timeout: 15m
kubernetes.io/tls-acme: "false"
creationTimestamp: 2018-01-30T12:37:52Z
labels:
app: nginx
name: nice
namespace: toco-nice-k5bs
resourceVersion: "156537327"
selfLink: /oapi/v1/namespaces/toco-nice-k5bs/routes/nice
uid: 63890d86-05ba-11e8-9d6f-fa163ec9e279
spec:
host: k5bs.tocco.ch
port:
targetPort: 80-tcp
tls:
caCertificate: |
-----BEGIN CERTIFICATE-----
MIIETTCCAzWgAwIBAgILBAAAAAABRE7wNjEwDQYJKoZIhvcNAQELBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw
MDBaFw0yNDAyMjAxMDAwMDBaMEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMSIwIAYDVQQDExlBbHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcy
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2gHs5OxzYPt+j2q3xhfj
kmQy1KwA2aIPue3ua4qGypJn2XTXXUcCPI9A1p5tFM3D2ik5pw8FCmiiZhoexLKL
dljlq10dj0CzOYvvHoN9ItDjqQAu7FPPYhmFRChMwCfLew7sEGQAEKQFzKByvkFs
MVtI5LHsuSPrVU3QfWJKpbSlpFmFxSWRpv6mCZ8GEG2PgQxkQF5zAJrgLmWYVBAA
cJjI4e00X9icxw3A1iNZRfz+VXqG7pRgIvGu0eZVRvaZxRsIdF+ssGSEj4k4HKGn
kCFPAm694GFn1PhChw8K98kEbSqpL+9Cpd/do1PbmB6B+Zpye1reTz5/olig4het
ZwIDAQABo4IBIzCCAR8wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
AQAwHQYDVR0OBBYEFPXN1TwIUPlqTzq3l9pWg+Zp0mj3MEUGA1UdIAQ+MDwwOgYE
VR0gADAyMDAGCCsGAQUFBwIBFiRodHRwczovL3d3dy5hbHBoYXNzbC5jb20vcmVw
b3NpdG9yeS8wMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nbG9iYWxzaWdu
Lm5ldC9yb290LmNybDA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6
Ly9vY3NwLmdsb2JhbHNpZ24uY29tL3Jvb3RyMTAfBgNVHSMEGDAWgBRge2YaRQ2X
yolQL30EzTSo//z9SzANBgkqhkiG9w0BAQsFAAOCAQEAYEBoFkfnFo3bXKFWKsv0
XJuwHqJL9csCP/gLofKnQtS3TOvjZoDzJUN4LhsXVgdSGMvRqOzm+3M+pGKMgLTS
xRJzo9P6Aji+Yz2EuJnB8br3n8NA0VgYU8Fi3a8YQn80TsVD1XGwMADH45CuP1eG
l87qDBKOInDjZqdUfy4oy9RU0LMeYmcI+Sfhy+NmuCQbiWqJRGXy2UzSWByMTsCV
odTvZy84IOgu/5ZR8LrYPZJwR2UcnnNytGAMXOLRc3bgr07i5TelRS+KIz6HxzDm
MTh89N1SyvNTBCVXVmaU6Avu5gMUTu79bZRknl7OedSyps9AsUSoPocZXun4IRZZUw==
-----END CERTIFICATE-----
certificate: |
-----BEGIN CERTIFICATE-----
MIIHQjCCBiqgAwIBAgIMNiLPbxmGVkUgGt8qMA0GCSqGSIb3DQEBCwUAMEwxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYDVQQDExlB
bHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcyMB4XDTE2MDkwNzA5MDQ1NloXDTE5MDkw
ODA5MDQ1NlowODEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRMw
EQYDVQQDDAoqLnRvY2NvLmNoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAyxzBBSIASSMaALvIv1MSt1CjZs01tCFUSQHPM0auRxFfPaUJrD0xNQbLY6wX
CQkHV9TKNjmxrXTKj4vJdq7XUGtB445dOKHvAUr5fQw3YVaHRbAUA6LaKGOO8M7o
mzdBtQnaLFKwZKCAH3VjxGXd51h5LHUNA//0uwDqNq+KeKXrfHbmHw1jF4i8aLcF
3KIQaSQVV7jdcVNerkFieIglmBhM90KswTIuB3rQ8yyWqAsaXUXsUJQyzQ04lhHh
OzkbzekNEj2/BTWjh9k/NIoYsDMFlUnJkWwLxhjByuGNIaKqHy1ViaPeZhuVmzLk
qhwc+p5dxc5kyWFZYaakQW6zUQIDAQABo4IENjCCBDIwDgYDVR0PAQH/BAQDAgWg
MIGJBggrBgEFBQcBAQR9MHswQgYIKwYBBQUHMAKGNmh0dHA6Ly9zZWN1cmUyLmFs
cGhhc3NsLmNvbS9jYWNlcnQvZ3NhbHBoYXNoYTJnMnIxLmNydDA1BggrBgEFBQcw
AYYpaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL2dzYWxwaGFzaGEyZzIwVwYD
VR0gBFAwTjBCBgorBgEEAaAyAQoKMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3
Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAECATAJBgNVHRMEAjAA
MD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9jcmwyLmFscGhhc3NsLmNvbS9ncy9n
c2FscGhhc2hhMmcyLmNybDAfBgNVHREEGDAWggoqLnRvY2NvLmNoggh0b2Njby5j
aDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFBKfZeVA
FDywmENZmnN1NNel10aBMB8GA1UdIwQYMBaAFPXN1TwIUPlqTzq3l9pWg+Zp0mj3
MIICbgYKKwYBBAHWeQIEAgSCAl4EggJaAlgAdgBo9pj4H2SCvjqM7rkoHUz8cVFd
Z5PURNEKZ6y7T0/7xAAAAVcD5KUPAAAEAwBHMEUCIB0C0PO45BYFp6KbLzWCn7zE
QQuzRZ8HLAF64GEKTNmVAiEA8ZkJRkIcn7o7p5uWdlRLvuV4WMdXa6sQea67On4q
zCwAdQCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAVcD5KruAAAE
AwBGMEQCIChezhVnCHcP2yDy0HKhsIio+fBZDTK5McXGHb0/tY+KAiAOK61xBB/r
ju3LOddJqSIqQBQTb5U1QspB/863ARuriQB2AO5Lvbd1zmC64UJpH6vhnmajD35f
sHLYgwDEe4l6qP3LAAABVwPks+QAAAQDAEcwRQIgYp4HFGFgq3trEdm5y0UTICFj
F5aufsA+1NCPzHH+M8gCIQDAg+iHhhlvPf/U71CVbLUa91qlOw04KjpZbSfUUFcu
6QB2AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0RxM227L7MAAABVwPkuJQAAAQD
AEcwRQIhAKtgtqC5ryNbTKd4g0jVd23nu6/SfdYpSeQqEKi6lXDBAiBVk96zfXPA
sjuH74sBJ/7EICHILu0O1ekyI3li+c79mwB3AFYUBpov18Ls0/XhvUSyPsdGdrm8
mRFcwO+UmFXWidDdAAABVwPkvGQAAAQDAEgwRgIhAPnGQy0lMxa9zBq+uWaN0oL3
sLJTCMfIdxiIzwKTH2alAiEA04vYgYP1hazfGsZ5nt24XpGpKnem/Vf+jj/JmHIG
q10wDQYJKoZIhvcNAQELBQADggEBAG3v7ptCmQUvMfcY5v2sFE6vOsZPw0DJ9xFH
MwEbXRkMq8iGEPNdB8Aqnrz1KzwbosFNIGXA78TW6Zkw6M3ZJkQAdc1JrGDcosgz
eieVzslUBoJ6fqN5NGUDLhIHYQaHKa2fzg8kppNbKTx5wGxooa5Vqlv7sLYVCjMB
FFVbfa2PHCaVOX9PxZbzp7pcWVtpJ8YtgyH8XbY6weXp9NBUaOy5WNbO4XTU9PqQ
4PYvKk+p8Lf4sCPATKmv2FOSKoSBkj77kBCiGYpEMBHvry1qZG8VDFAFgO2kvx8L
tJnklfzEwjpklyzZCnx/DeayZE3fmQ0l3INoV4Wvjv5LgS6s+Hg=
-----END CERTIFICATE-----
insecureEdgeTerminationPolicy: Redirect
key: |
-----BEGIN PRIVATE KEY-----
…
-----END PRIVATE KEY-----
termination: edge
to:
kind: Service
name: nice
weight: 100
wildcardPolicy: None
status:
ingress:
- conditions:
- lastTransitionTime: 2018-01-30T12:37:52Z
status: "True"
type: Admitted
host: k5bs.tocco.ch
routerName: router
wildcardPolicy: None
Route after enabling ACME:
$ oc get route nice -o yaml
apiVersion: v1
kind: Route
metadata:
annotations:
haproxy.router.openshift.io/timeout: 15m
kubernetes.io/tls-acme: "true"
kubernetes.io/tls-acme-awaiting-authorization-owner: https://acme-v01.api.letsencrypt.org/acme/reg/31528540
creationTimestamp: 2018-01-30T12:37:52Z
labels:
app: nginx
name: nice
namespace: toco-nice-k5bs
resourceVersion: "164578257"
selfLink: /oapi/v1/namespaces/toco-nice-k5bs/routes/nice
uid: 63890d86-05ba-11e8-9d6f-fa163ec9e279
spec:
host: k5bs.tocco.ch
port:
targetPort: 80-tcp
tls:
caCertificate: |
-----BEGIN CERTIFICATE-----
MIIETTCCAzWgAwIBAgILBAAAAAABRE7wNjEwDQYJKoZIhvcNAQELBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw
MDBaFw0yNDAyMjAxMDAwMDBaMEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMSIwIAYDVQQDExlBbHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcy
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2gHs5OxzYPt+j2q3xhfj
kmQy1KwA2aIPue3ua4qGypJn2XTXXUcCPI9A1p5tFM3D2ik5pw8FCmiiZhoexLKL
dljlq10dj0CzOYvvHoN9ItDjqQAu7FPPYhmFRChMwCfLew7sEGQAEKQFzKByvkFs
MVtI5LHsuSPrVU3QfWJKpbSlpFmFxSWRpv6mCZ8GEG2PgQxkQF5zAJrgLmWYVBAA
cJjI4e00X9icxw3A1iNZRfz+VXqG7pRgIvGu0eZVRvaZxRsIdF+ssGSEj4k4HKGn
kCFPAm694GFn1PhChw8K98kEbSqpL+9Cpd/do1PbmB6B+Zpye1reTz5/olig4het
ZwIDAQABo4IBIzCCAR8wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
AQAwHQYDVR0OBBYEFPXN1TwIUPlqTzq3l9pWg+Zp0mj3MEUGA1UdIAQ+MDwwOgYE
VR0gADAyMDAGCCsGAQUFBwIBFiRodHRwczovL3d3dy5hbHBoYXNzbC5jb20vcmVw
b3NpdG9yeS8wMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nbG9iYWxzaWdu
Lm5ldC9yb290LmNybDA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6
Ly9vY3NwLmdsb2JhbHNpZ24uY29tL3Jvb3RyMTAfBgNVHSMEGDAWgBRge2YaRQ2X
yolQL30EzTSo//z9SzANBgkqhkiG9w0BAQsFAAOCAQEAYEBoFkfnFo3bXKFWKsv0
XJuwHqJL9csCP/gLofKnQtS3TOvjZoDzJUN4LhsXVgdSGMvRqOzm+3M+pGKMgLTS
xRJzo9P6Aji+Yz2EuJnB8br3n8NA0VgYU8Fi3a8YQn80TsVD1XGwMADH45CuP1eG
l87qDBKOInDjZqdUfy4oy9RU0LMeYmcI+Sfhy+NmuCQbiWqJRGXy2UzSWByMTsCV
odTvZy84IOgu/5ZR8LrYPZJwR2UcnnNytGAMXOLRc3bgr07i5TelRS+KIz6HxzDm
MTh89N1SyvNTBCVXVmaU6Avu5gMUTu79bZRknl7OedSyps9AsUSoPocZXun4IRZZUw==
-----END CERTIFICATE-----
certificate: |
-----BEGIN CERTIFICATE-----
MIIHBjCCBe6gAwIBAgISA1Vc/rWFC4cKKyIJ2Y/PHFJwMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA0MjQxMTA5NDFaFw0x
ODA3MjMxMTA5NDFaMBgxFjAUBgNVBAMTDWs1YnMudG9jY28uY2gwggIiMA0GCSqG
SIb3DQEBAQUAA4ICDwAwggIKAoICAQC6t/xTGDeaqtM+2EDBRNo4ypfGw56IMIae
CzgUuoKanXhFX6W8YfATG73L7AjwKS32s/SuBrfSTBOgLJkLTXzb+Nc4Wli8usrI
fkaEcOOS949BDvIzTkGnQeba0t7xiwr991JFq4xlu/OKO588npHLdmb2IBuvDr7H
GPSEuTocjdsTW0TrzwPJjH6ulH/XxthWYQP2ZCBg1n9kn/Bp7YcpkIZMGfqR0ix1
bPvwosioNNv/KbmSFjA7o0biKZBaTdKO6UuQHbNlIs1gLlyJjnG6MiABM6TZaHBK
pruH84rD5H5S7BVXkHOyVKNBaO+yQ8WDRioTOICpcCJl9v76a65Ep8dTefnxYGZV
CiKotRuQc+gd90btWxwtIpOGFpEKe7azTTpmqv3ZNQpnxtfQrewI69+V1RY3rOIl
zIx4cSHnJFn0MTrwhNfzoUL//o/djSg+4CuN6clKU2v1dq5VUpP21i2Pw7lBr8ZE
m4o7ZIE10WWMD/S8Lc7bBEIZA8+gLJWIuI9l/tFGrCqA+SI+WaES93YVMbK0sPCm
SxuKzYrkaR9F+wNsdr4PiEp3XmsV+YVWx+fJe89OfCbreylOZLmVX7IqNoWYzBlo
N7WTOy5g3NFwL8pBoiIVHCh1ketywo0wVJrX+Po8yabWDEFeCiWGdcOu2QAPshO1
cjvSPMqQIwIDAQABo4IDFjCCAxIwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBR85T26
UoNeNo2jtB8mQO6ON0mltTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86js
oTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14
My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14
My5sZXRzZW5jcnlwdC5vcmcvMBgGA1UdEQQRMA+CDWs1YnMudG9jY28uY2gwgf4G
A1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUF
BwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4M
gZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJl
bHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENl
cnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9y
Zy9yZXBvc2l0b3J5LzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3ANt0r+7LKeyx
/so+cW0s5bmquzb3hHGDx12dTze2H79kAAABYvePOegAAAQDAEgwRgIhAIB3wPid
0RXxrCcKSxMWNTyoB42O/P06ZBj1jVLQ89hhAiEA9W3u+5Ns2vLrl5lCDDebbsm6
g89CRY4gGUunGMnpIaIAdgApPFGWVMg5ZbqqUPxYB9S3b79Yeily3KTDDPTlRUf0
eAAAAWL3jzoNAAAEAwBHMEUCIHdcLMGAEIqaaE6pHP0GXHvKg4B3HuuqXTQ6xS7d
M+l0AiEAjsY+2+8i7XlcEEnrPX3hKaCRYoEdOShnqqkGSNz2RyEwDQYJKoZIhvcN
AQELBQADggEBAFvevOxb3gRar3XpMOip+0muXP7O5rd30M1DPoHa0CVzndQNbIfg
rC7BmYOd+m0LZM+TBM7OPxfUVYT5n2DA9LBfyHmLudnkVhQjnErPMfGlD7R6bZkt
dNvjFiiAAbzLlMaUnZSSfjjFKijLZk1ALix5sNL/Ogamxf9Se7IfesdKeEHzpULb
WPFQuv/OWwGlRFUtQ3ZAfg8MxpDJ4b0HOPpxAzGn84hjOSK1xJMwT5n637+82Xby
cjQR3rrj1egveeLYBpendaVb89h/IX2LjYyreRqm8AX+1JHvFojHmZDi6qXOhjTS
+GAMI8D01lmtRloV1+2Hynh8+0+jPDMiSsk=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
insecureEdgeTerminationPolicy: Redirect
key: |
-----BEGIN RSA PRIVATE KEY-----
…
-----END RSA PRIVATE KEY-----
termination: edge
to:
kind: Service
name: nice
weight: 100
wildcardPolicy: None
status:
ingress:
- conditions:
- lastTransitionTime: 2018-04-24T12:09:42Z
message: |2-
- spec.tls.certificate: Invalid value: "redacted certificate data": error verifying certificate: x509: certificate signed by unknown authority
reason: ExtendedValidationFailed
status: "False"
type: Admitted
host: k5bs.tocco.ch
routerName: router
wildcardPolicy: None
Removing the old caCertificate seems reasonable.
Could you try to remove it manually and can confirm that fixes the issue? (I can follow up with a PR if that's confirmed.)
Yes, I can confirm that manually removing caCertificate resolves the issue.
Issues go stale after 90d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.
If this issue is safe to close now please do so with /close.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.
If this issue is safe to close now please do so with /close.
/lifecycle rotten /remove-lifecycle stale
Rotten issues close after 30d of inactivity.
Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.
/close
@openshift-bot: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue by commenting
/reopen. Mark the issue as fresh by commenting/remove-lifecycle rotten. Exclude this issue from closing again by commenting/lifecycle frozen./close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
@tnozicka: Reopened this issue.
In response to this:
/reopen /remove-lifecycle rotten /lifecycle frozen /kind bug
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
Ran into this issue with OpenShift 4.3 - also resolved by manually removing caCertificate.
