Fix OCP HSTS errors

[jacobdotcosta]

Issue

When we access the ocp console, then we got such a message from google chrome

You cannot visit oauth-openshift.apps.ocp.snowdrop.dev right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

HSTS: https://developer.mozilla.org/en-US/docs/Glossary/HSTS

Temporary workaround is to type thisisunsafe within the google chrome window - https://stackoverflow.com/questions/33268264/chromethe-website-uses-hsts-network-errors-this-page-will-probably-work-late

[cmoulliard]

Dont forget to add the link to the issue/PR to track that from your tasks ;-)

[cmoulliard]

Can you add the link to the ticket created please ? @jacobdotcosta

[jacobdotcosta]

https://redhat.service-now.com/surl.do?n=RITM1483142

@cmoulliard

[cmoulliard]

I think that I know how to fix it.

We dont have issues when we access https://console-openshift-console.snowdrop-eu-de-1-bx2-4x16-0c576f1a70d464f092d8591997631748-0000.eu-de.containers.appdomain.cloud/ as their HTTPS certificate has been signed for the domain *.cloud by Let's encrypt - https://letsencrypt.org/certificates/#intermediate-certificates

-----BEGIN CERTIFICATE-----
MIIGRzCCBS+gAwIBAgISBIq2+AqEbznEOBnuHHqEpCBdMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA0MTMwNDEzNDdaFw0yMzA3MTIwNDEzNDZaMEUxQzBBBgNVBAMT
OnNub3dkcm9wLWV1LWRlLTEtYngyLTR4MTYuZXUtZGUuY29udGFpbmVycy5hcHBk
b21haW4uY2xvdWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCZTx3I
Pgf1fn6i+oHSh5IwdjBn/BGSWkXXAbMJS+1myHKEczlKfR3xG1Fdetx657SPqHEY
YqAmpISR8aAnQBYFje1Bk7dZ4LkygbMUWw+r994tkHwoioRxCcsGcUwBtog2r5Ta
/MR6pkwipFY4qJ/zN2cIkRXAePy6r9AElSqoWtlfn7SAf/ENC4Ur0c5xwZs5pSPA
6/0oxaEwQvMqyVrhpreH9tpkFQQhoQJTht8EFzRBScua9mxztDvt6jhVSGLjbMBR
aV2Vwy5YEJsgtRhXGlBqTfBzBao8P2YAIg79ISrKmTXsXyJ7/OeGWJ30gSqnxW1K
Kcct/FQ8lkNwpIbXAgMBAAGjggNCMIIDPjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYE
FDhoxA4/oeUxzpSEcqSq4M3e3aFBMB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYf
r52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8u
bGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMIIB
DwYDVR0RBIIBBjCCAQKCYiouc25vd2Ryb3AtZXUtZGUtMS1ieDItNHgxNi0wYzU3
NmYxYTcwZDQ2NGYwOTJkODU5MTk5NzYzMTc0OC0wMDAwLmV1LWRlLmNvbnRhaW5l
cnMuYXBwZG9tYWluLmNsb3VkgmBzbm93ZHJvcC1ldS1kZS0xLWJ4Mi00eDE2LTBj
NTc2ZjFhNzBkNDY0ZjA5MmQ4NTkxOTk3NjMxNzQ4LTAwMDAuZXUtZGUuY29udGFp
bmVycy5hcHBkb21haW4uY2xvdWSCOnNub3dkcm9wLWV1LWRlLTEtYngyLTR4MTYu
ZXUtZGUuY29udGFpbmVycy5hcHBkb21haW4uY2xvdWQwTAYDVR0gBEUwQzAIBgZn
gQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s
ZXRzZW5jcnlwdC5vcmcwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwC3Pvsk35xN
unXyOcW6WPRsXfxCz3qfNcSeHQmBJe20mQAAAYd5CLg8AAAEAwBIMEYCIQDknrov
P4dsaO9cowbaK+W8qnFXlw2CXWmDqCga4jjvJgIhALDONveWD9P133Lcozni7WIT
Pt22QP4tj8zM7DQw0gzdAHYAejKMVNi3LbYg6jjgUh7phBZwMhOFTTvSK8E6V6NS
61IAAAGHeQi4TAAABAMARzBFAiEAxpLBPpag94JhLAf52vnYg0ShaQcBrQ5D9dkE
DcDHSCUCIGzt0Y+JaJN+0lvhZtoYLok8jTMJeFWI4tHxTkkGsgoQMA0GCSqGSIb3
DQEBCwUAA4IBAQCCQQ2GI1EkukC1GLUKpRcB2d7a0QrW1eu0qHOmyaH44G1Fii+X
DEUXVe93m9nROyG0ZdFhvxIHVuIylH31Q3UEOE0DtMHT3pYCzg+vs93jIFPXXL1C
1f52mt0TKsGnnPxUzHI0CqWZ4YKIAP+QURLVURQoe5YlvqMC3Mn0mW7tZKdrlnil
GnrXsveCz6oKbAtvoP8bMGWWsltrMjUZHZOB6lOvcQJoocxDZfCdHBoMjL+SugZ5
4DCqWHueRJc7o4Vdxcq3gNuCJ8YrYP7V3hZ4ustjBSPQBdlcBezmSuJ/DuQwCok2
TAMzaIP3LnDk+uYowmfELaIH3q+t7lj7HION
-----END CERTIFICATE-----

instead the certificate generated by the ocp ingress operator for us

    -----BEGIN CERTIFICATE-----
    MIIDZTCCAk2gAwIBAgIIM5L+uC/xI+YwDQYJKoZIhvcNAQELBQAwJjEkMCIGA1UE
    AwwbaW5ncmVzcy1vcGVyYXRvckAxNjgwMDkzMzc3MB4XDTIzMDMyOTEyMzYxN1oX
    DTI1MDMyODEyMzYxOFowIjEgMB4GA1UEAwwXKi5hcHBzLm9jcC5zbm93ZHJvcC5k
    ZXYwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrL8TyhxSjXY91I8lD
    JmRmjTQddf6kVzD4i8SFUY9Oi+ftYetb8z4sDVz6oq+85AIqDiH4TliqM5PAiL9F
    Q33miAdxOoF42S1a0LQpzDs/gt3VTLIls1/IFo4iA1KbnmuNNbDWZ1Ofe+twTwSA
    0HEODhCzzsVS6Oz+vUZIwWoY6gQET8XymhoA14Vu6GQPG1SjC6SRat7263A61GNA
    82Yt7MsANqkzR88r0FVLpuvGeX/2d2kwmIv1ZTpdAomJTd1o/gcuC2QA7DuAa9b3
    Mv+0wUjGTgZUa8+tbshEWlJ+cCQnFemyTooR7cUAw0jjTlhq32JWFQW08jV7EJwl
    jS2/AgMBAAGjgZowgZcwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUF
    BwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFJMlo5jao13Eia1IqeaL+V6pqrsG
    MB8GA1UdIwQYMBaAFHHVWLJXMatLkpvA69XC5n2uW0Q5MCIGA1UdEQQbMBmCFyou
    YXBwcy5vY3Auc25vd2Ryb3AuZGV2MA0GCSqGSIb3DQEBCwUAA4IBAQCTeuG5pMwg
    KcTdc/k3EMDIECX9OHZoNKl/4uVyILMyfOlC2y2qE0vhzpwT949Be4/l/cZHtLmQ
    3HnHwbsbS1p4D50/ByrSA50GDQkwd+80yMK14RMzQqv6N/3kX/6k/ss65fZygxTw
    Tw2Qk4ITq/p4h/O9rpqqf5PRHkhGkjfQN6iPDXgeImRjUo32BAjypC7cGGqjwo4P
    C5KTHHYBth/LBFyvQos/k4IaJ/qS1Ys6eNLR6NFcwy9LgbEadjGB2Gn+r3AbriQq
    NYsrp8tvbAdAg0TyngnGcnQfuKXI/rkxYxHPh4e6/kI+hzwZ+YzeP9X/pzZq8ZvP
    B9J1OVll7vas
    -----END CERTIFICATE-----

So, if we ask to Let's encrypt and Godaddy to sign a Certificate request for *.apps.ocp.snowdrop.dev, that should work.

The next challenge will be to pass such a certificate within the Openstack ocp install config file. Maybe using: https://docs.openshift.com/container-platform/4.13/installing/installing_openstack/installing-openstack-installer-custom.html#installation-osp-describing-cloud-parameters_installing-openstack-installer-custom

WDYT ? @jacobdotcosta

[cmoulliard]

I tested manually this procedure after updating the certificate and issuer role of k8s-infra, collected the updated secret and patched as described here: https://docs.openshift.com/container-platform/4.13/security/certificates/replacing-default-ingress-certificate.html#replacing-default-ingress_replacing-default-ingress

Now, the access to https://console-openshift-console.apps.ocp.snowdrop.dev/dashboards do not generate a HTST error ;-)

oc login is reporting nevertheless an error

oc login --token=sha256~xxxx --server=https://api.ocp.snowdrop.dev:6443
error: x509: “kube-apiserver-lb-signer” certificate is not trusted

FYI: @jacobdotcosta

[cmoulliard]

A part of the problem could be automated if we pass to the openshift installer config file the parameter additionalTrustBundle
See how that works here: https://github.com/openshift/installer/blob/master/docs/user/customization.md#proxy which corresponds to what it is described here: https://docs.openshift.com/container-platform/4.13/security/certificates/replacing-default-ingress-certificate.html#replacing-default-ingress_replacing-default-ingress (create a custom CA secret and patch proxy/cluster)

NOTE: We need of course to populate first and separately the CA crt and keys before to create a cluster !

@jacobdotcosta

[cmoulliard]

I still have an issue using such certificate/issuer

---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-prod-qshift-snowdrop-dev
  labels:
    app: qshift-ca-cert
  namespace: snowdrop-site
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email:
    privateKeySecretRef:
      name: letsencrypt-prod-snowdrop-dev
    solvers:
      - dns01:
          webhook:
            config:
              apiKeySecretRef:
                name: godaddy-api-key
                key: token
              production: true
              ttl: 600
            groupName: acme.mycompany.com
            solverName: godaddy
        selector:
          dnsNames:
            - 'api.qshift.snowdrop.dev'
            - 'oauth-openshift.apps.qshift.snowdrop.dev'
            - 'console-openshift-console.apps.qshift.snowdrop.dev'
            - 'grafana-openshift-monitoring.apps.qshift.snowdrop.dev'
            - 'prometheus-k8s-openshift-monitoring.apps.qshift.snowdrop.dev'
            - 'integrated-oauth-server-openshift-authentication.apps.qshift.snowdrop.dev'
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: qshift-snowdrop-dev
  labels:
    app: qshift-ca-cert
  namespace: snowdrop-site
spec:
  renewBefore: 2136h
  duration: 2190h
  privateKey:
    size: 2048
    algorithm: RSA
  issuerRef:
    kind: Issuer
    name: letsencrypt-prod-qshift-snowdrop-dev
  secretName: qshift-snowdrop-dev-tls
  dnsNames:
    - 'api.qshift.snowdrop.dev'
    - 'oauth-openshift.apps.qshift.snowdrop.dev'
    - 'console-openshift-console.apps.qshift.snowdrop.dev'
    - 'grafana-openshift-monitoring.apps.qshift.snowdrop.dev'
    - 'prometheus-k8s-openshift-monitoring.apps.qshift.snowdrop.dev'
    - 'integrated-oauth-server-openshift-authentication.apps.qshift.snowdrop.dev'

[cmoulliard]

Problem fixed after issuing the following certificate

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-prod-qshift-snowdrop-dev
  labels:
    app: qshift-ca-cert
  namespace: snowdrop-site
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email:
    privateKeySecretRef:
      name: letsencrypt-prod-snowdrop-dev
    solvers:
      - dns01:
          webhook:
            config:
              apiKeySecretRef:
                name: godaddy-api-key
                key: token
              production: true
              ttl: 600
            groupName: acme.mycompany.com
            solverName: godaddy
        selector:
          dnsNames:
            - '*.apps.qshift.snowdrop.dev'
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: qshift-snowdrop-dev
  labels:
    app: qshift-ca-cert
  namespace: snowdrop-site
spec:
  renewBefore: 2136h
  duration: 2190h
  privateKey:
    size: 2048
    algorithm: RSA
  issuerRef:
    kind: Issuer
    name: letsencrypt-prod-qshift-snowdrop-dev
  secretName: qshift-snowdrop-dev-tls
  dnsNames:
    - '*.apps.qshift.snowdrop.dev'

[cmoulliard]

Question from Antonio: To install the new cert manager on the OCP cluster we would still need the one on the snowdrop k8s server right?

Charles's response:
No.

It is not needed to centralize everything on a cluster EXCEPT when rotation will take place and when secrets (= ca, tls) are still used.

• So if we don't centralize, that means that we need to find a way to "copy/scp" the secret or rotated secret to the target cluster
• If we install a cert manager / cluster, then it can also manage the rotation and save locally the secret. If the cluster is then removed, no need anymore to rotate the cert as needed by letsencrypt after 3months

@jacobdotcosta