OpenShift 3.11 - custom default route certificate failing with certificate has expired or is not yet valid
2 min read | by Jordi Prats
After trying to set a custom default certificate for the OpenShift routes we might see how it's Pods starts crashing:
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
router-10-rh8vf 1/1 Running 0 32m
router-10-f2dt2 0/1 CrashLoopBackOff 6 7m
router-10-m45b7 1/1 Running 0 31m
Checking it's logs we'll get a quite misleading message:
$ kubectl logs router-10-f2dt2 -n default
Error from server: Get https://some.openshift.cluster:10250/containerLogs/default/router-10-f2dt2/router: x509: certificate has expired or is not yet valid
To set a custom default certificate for routes (that don't have the certificate explicitly set) we need to update the router-certs Secret in the default namespace:
$ kubectl get secret router-certs
NAME TYPE DATA AGE
router-certs kubernetes.io/tls 2 5h
In it we need to update two keys: tls.crt and tls.key but if we do so it will start crashing. What we really need to do is append the private key with the certificate into tls.crt like so:
$ kubectl get secret router-certs -n default -o jsonpath='{.data.tls\.crt}' | base64 -d
-----BEGIN CERTIFICATE-----
(...)
CHAIN CERT
(...)
-----END CERTIFICATE-----
(...)
-----BEGIN CERTIFICATE-----
(...)
CERTIFICATE
(...)
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
(...)
PRIVATE KEY
(...)
-----END RSA PRIVATE KEY-----
Don't know why you need to do so, but to be honest, I don't want to know because it will not make any sense.
Posted on 04/07/2023