Thursday, February 24, 2022

 Issue:-


oc login -u kubeadmin -p blah


error: x509: certificate is not valid for any names, but wanted to match oauth-openshift.apps.cluster-psk


Sol:- now we have to troubleshoot


1) To explore this environment, export KUBECONFIG using the configuration created by the installer:


export KUBECONFIG=~/.kube/config


2) Check to see whether the default ingresscontroller has a defaultCertificate configured. Pay special attention to what is defined for spec: (if that value is present):


oc get -n openshift-ingress-operator ingresscontroller/default -o json


 "spec": {

        "defaultCertificate": {

            "name": "cee-cf-110"

        }


or run cmd to get directly

oc get -n openshift-ingress-operator ingresscontroller/default -o jsonpath='{.spec.defaultCertificate.name}'

cee-cf-110

3) If the spec value is not present, you might want to check what certificate is being used. To do this, you would use oc describe as shown here. Run this command and compare your output to what's shown here:


oc describe -n openshift-ingress-operator ingresscontroller/default


Events:

  Type    Reason                     Age                  From                    Message

  ----    ------                     ----                 ----                    -------

  Normal  Admitted                   57m (x2 over 5h49m)  ingress_controller      ingresscontroller passed validation

  Normal  DeletedDefaultCertificate  57m                  certificate_controller  Deleted default wildcard certificate "router-certs-default"

  Normal  Admitted                   11m                  ingress_controller      ingresscontroller passed validation

  Normal  CreatedDefaultCertificate  11m                  certificate_controller  Created default wildcard certificate "router-certs-default"

  Normal  DeletedDefaultCertificate  10m                  certificate_controller  Deleted default wildcard certificate "router-certs-default"

  Normal  Admitted                   10m                  ingress_controller      ingresscontroller passed validation

[root@bastion ~]# oc describe -n openshift-ingress-operator ingresscontroller/default



4)

Certificates in RHOCP 4 are stored as secrets. Once you know the name of the certificate, you can use oc describe secret as shown here to get additional details. Your key focus will be the Data section of that output. Run this command and compare your output to what's shown here:


oc describe secret router-certs-default -n openshift-ingress

oc describe secret router-certs-default -n openshift-ingress

Name:         router-certs-default

Namespace:    openshift-ingress

Labels:       <none>

Annotations:  <none>


Type:  kubernetes.io/tls


Data

====

tls.crt:  2404 bytes

tls.key:  1675 bytes

Notice how the secret is stored in openshift-ingress, but the ingress controller is in the openshift-ingress-operator namespace.



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)