caCertificate not removed/updated (ExtendedValidationFailed) #68

pgerber · 2018-04-24T12:23:51Z

I enabled kubernetes.io/tls-acme on a route that so far used a non-ACME certificate. Doing so, however, resulted ExtendedValidationFailed error.

As far as I can tell this is caused by the fact that, for the old cert, spec.tls.caCertificate was set to the certificate authority. When openshift-acme issues a certificate it includes the CA cert in spec.tls.certificate however. This causes, rightfully, a validation error since there are now two CA certs in the chain. I believe openshift-acme should either a) remove spec.tls.caCertificate if it exists or b) move the CA cert from spec.tls.certificate to spec.tls.caCertificate.

Route before enabling ACME:

$ oc get route nice -o yaml    
apiVersion: v1
kind: Route
metadata:
  annotations:
    haproxy.router.openshift.io/timeout: 15m
    kubernetes.io/tls-acme: "false"
  creationTimestamp: 2018-01-30T12:37:52Z
  labels:
    app: nginx
  name: nice
  namespace: toco-nice-k5bs
  resourceVersion: "156537327"
  selfLink: /oapi/v1/namespaces/toco-nice-k5bs/routes/nice
  uid: 63890d86-05ba-11e8-9d6f-fa163ec9e279
spec:
  host: k5bs.tocco.ch
  port:
    targetPort: 80-tcp
  tls:
    caCertificate: |
      -----BEGIN CERTIFICATE-----
      MIIETTCCAzWgAwIBAgILBAAAAAABRE7wNjEwDQYJKoZIhvcNAQELBQAwVzELMAkG
      A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
      b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw
      MDBaFw0yNDAyMjAxMDAwMDBaMEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
      YWxTaWduIG52LXNhMSIwIAYDVQQDExlBbHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcy
      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2gHs5OxzYPt+j2q3xhfj
      kmQy1KwA2aIPue3ua4qGypJn2XTXXUcCPI9A1p5tFM3D2ik5pw8FCmiiZhoexLKL
      dljlq10dj0CzOYvvHoN9ItDjqQAu7FPPYhmFRChMwCfLew7sEGQAEKQFzKByvkFs
      MVtI5LHsuSPrVU3QfWJKpbSlpFmFxSWRpv6mCZ8GEG2PgQxkQF5zAJrgLmWYVBAA
      cJjI4e00X9icxw3A1iNZRfz+VXqG7pRgIvGu0eZVRvaZxRsIdF+ssGSEj4k4HKGn
      kCFPAm694GFn1PhChw8K98kEbSqpL+9Cpd/do1PbmB6B+Zpye1reTz5/olig4het
      ZwIDAQABo4IBIzCCAR8wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
      AQAwHQYDVR0OBBYEFPXN1TwIUPlqTzq3l9pWg+Zp0mj3MEUGA1UdIAQ+MDwwOgYE
      VR0gADAyMDAGCCsGAQUFBwIBFiRodHRwczovL3d3dy5hbHBoYXNzbC5jb20vcmVw
      b3NpdG9yeS8wMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nbG9iYWxzaWdu
      Lm5ldC9yb290LmNybDA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6
      Ly9vY3NwLmdsb2JhbHNpZ24uY29tL3Jvb3RyMTAfBgNVHSMEGDAWgBRge2YaRQ2X
      yolQL30EzTSo//z9SzANBgkqhkiG9w0BAQsFAAOCAQEAYEBoFkfnFo3bXKFWKsv0
      XJuwHqJL9csCP/gLofKnQtS3TOvjZoDzJUN4LhsXVgdSGMvRqOzm+3M+pGKMgLTS
      xRJzo9P6Aji+Yz2EuJnB8br3n8NA0VgYU8Fi3a8YQn80TsVD1XGwMADH45CuP1eG
      l87qDBKOInDjZqdUfy4oy9RU0LMeYmcI+Sfhy+NmuCQbiWqJRGXy2UzSWByMTsCV
      odTvZy84IOgu/5ZR8LrYPZJwR2UcnnNytGAMXOLRc3bgr07i5TelRS+KIz6HxzDm
      MTh89N1SyvNTBCVXVmaU6Avu5gMUTu79bZRknl7OedSyps9AsUSoPocZXun4IRZZUw==
      -----END CERTIFICATE-----
    certificate: |
      -----BEGIN CERTIFICATE-----
      MIIHQjCCBiqgAwIBAgIMNiLPbxmGVkUgGt8qMA0GCSqGSIb3DQEBCwUAMEwxCzAJ
      BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYDVQQDExlB
      bHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcyMB4XDTE2MDkwNzA5MDQ1NloXDTE5MDkw
      ODA5MDQ1NlowODEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRMw
      EQYDVQQDDAoqLnRvY2NvLmNoMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
      AQEAyxzBBSIASSMaALvIv1MSt1CjZs01tCFUSQHPM0auRxFfPaUJrD0xNQbLY6wX
      CQkHV9TKNjmxrXTKj4vJdq7XUGtB445dOKHvAUr5fQw3YVaHRbAUA6LaKGOO8M7o
      mzdBtQnaLFKwZKCAH3VjxGXd51h5LHUNA//0uwDqNq+KeKXrfHbmHw1jF4i8aLcF
      3KIQaSQVV7jdcVNerkFieIglmBhM90KswTIuB3rQ8yyWqAsaXUXsUJQyzQ04lhHh
      OzkbzekNEj2/BTWjh9k/NIoYsDMFlUnJkWwLxhjByuGNIaKqHy1ViaPeZhuVmzLk
      qhwc+p5dxc5kyWFZYaakQW6zUQIDAQABo4IENjCCBDIwDgYDVR0PAQH/BAQDAgWg
      MIGJBggrBgEFBQcBAQR9MHswQgYIKwYBBQUHMAKGNmh0dHA6Ly9zZWN1cmUyLmFs
      cGhhc3NsLmNvbS9jYWNlcnQvZ3NhbHBoYXNoYTJnMnIxLmNydDA1BggrBgEFBQcw
      AYYpaHR0cDovL29jc3AyLmdsb2JhbHNpZ24uY29tL2dzYWxwaGFzaGEyZzIwVwYD
      VR0gBFAwTjBCBgorBgEEAaAyAQoKMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3
      Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAECATAJBgNVHRMEAjAA
      MD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9jcmwyLmFscGhhc3NsLmNvbS9ncy9n
      c2FscGhhc2hhMmcyLmNybDAfBgNVHREEGDAWggoqLnRvY2NvLmNoggh0b2Njby5j
      aDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0OBBYEFBKfZeVA
      FDywmENZmnN1NNel10aBMB8GA1UdIwQYMBaAFPXN1TwIUPlqTzq3l9pWg+Zp0mj3
      MIICbgYKKwYBBAHWeQIEAgSCAl4EggJaAlgAdgBo9pj4H2SCvjqM7rkoHUz8cVFd
      Z5PURNEKZ6y7T0/7xAAAAVcD5KUPAAAEAwBHMEUCIB0C0PO45BYFp6KbLzWCn7zE
      QQuzRZ8HLAF64GEKTNmVAiEA8ZkJRkIcn7o7p5uWdlRLvuV4WMdXa6sQea67On4q
      zCwAdQCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAVcD5KruAAAE
      AwBGMEQCIChezhVnCHcP2yDy0HKhsIio+fBZDTK5McXGHb0/tY+KAiAOK61xBB/r
      ju3LOddJqSIqQBQTb5U1QspB/863ARuriQB2AO5Lvbd1zmC64UJpH6vhnmajD35f
      sHLYgwDEe4l6qP3LAAABVwPks+QAAAQDAEcwRQIgYp4HFGFgq3trEdm5y0UTICFj
      F5aufsA+1NCPzHH+M8gCIQDAg+iHhhlvPf/U71CVbLUa91qlOw04KjpZbSfUUFcu
      6QB2AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0RxM227L7MAAABVwPkuJQAAAQD
      AEcwRQIhAKtgtqC5ryNbTKd4g0jVd23nu6/SfdYpSeQqEKi6lXDBAiBVk96zfXPA
      sjuH74sBJ/7EICHILu0O1ekyI3li+c79mwB3AFYUBpov18Ls0/XhvUSyPsdGdrm8
      mRFcwO+UmFXWidDdAAABVwPkvGQAAAQDAEgwRgIhAPnGQy0lMxa9zBq+uWaN0oL3
      sLJTCMfIdxiIzwKTH2alAiEA04vYgYP1hazfGsZ5nt24XpGpKnem/Vf+jj/JmHIG
      q10wDQYJKoZIhvcNAQELBQADggEBAG3v7ptCmQUvMfcY5v2sFE6vOsZPw0DJ9xFH
      MwEbXRkMq8iGEPNdB8Aqnrz1KzwbosFNIGXA78TW6Zkw6M3ZJkQAdc1JrGDcosgz
      eieVzslUBoJ6fqN5NGUDLhIHYQaHKa2fzg8kppNbKTx5wGxooa5Vqlv7sLYVCjMB
      FFVbfa2PHCaVOX9PxZbzp7pcWVtpJ8YtgyH8XbY6weXp9NBUaOy5WNbO4XTU9PqQ
      4PYvKk+p8Lf4sCPATKmv2FOSKoSBkj77kBCiGYpEMBHvry1qZG8VDFAFgO2kvx8L
      tJnklfzEwjpklyzZCnx/DeayZE3fmQ0l3INoV4Wvjv5LgS6s+Hg=
      -----END CERTIFICATE-----
    insecureEdgeTerminationPolicy: Redirect
    key: |
      -----BEGIN PRIVATE KEY-----
      …
      -----END PRIVATE KEY-----
    termination: edge
  to:
    kind: Service
    name: nice
    weight: 100
  wildcardPolicy: None
status:
  ingress:
  - conditions:
    - lastTransitionTime: 2018-01-30T12:37:52Z
      status: "True"
      type: Admitted
    host: k5bs.tocco.ch
    routerName: router
    wildcardPolicy: None

Route after enabling ACME:

$ oc get route nice -o yaml
apiVersion: v1
kind: Route
metadata:
  annotations:
    haproxy.router.openshift.io/timeout: 15m
    kubernetes.io/tls-acme: "true"
    kubernetes.io/tls-acme-awaiting-authorization-owner: https://acme-v01.api.letsencrypt.org/acme/reg/31528540
  creationTimestamp: 2018-01-30T12:37:52Z
  labels:
    app: nginx
  name: nice
  namespace: toco-nice-k5bs
  resourceVersion: "164578257"
  selfLink: /oapi/v1/namespaces/toco-nice-k5bs/routes/nice
  uid: 63890d86-05ba-11e8-9d6f-fa163ec9e279
spec:
  host: k5bs.tocco.ch
  port:
    targetPort: 80-tcp
  tls:
    caCertificate: |
      -----BEGIN CERTIFICATE-----
      MIIETTCCAzWgAwIBAgILBAAAAAABRE7wNjEwDQYJKoZIhvcNAQELBQAwVzELMAkG
      A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
      b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw
      MDBaFw0yNDAyMjAxMDAwMDBaMEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
      YWxTaWduIG52LXNhMSIwIAYDVQQDExlBbHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcy
      MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2gHs5OxzYPt+j2q3xhfj
      kmQy1KwA2aIPue3ua4qGypJn2XTXXUcCPI9A1p5tFM3D2ik5pw8FCmiiZhoexLKL
      dljlq10dj0CzOYvvHoN9ItDjqQAu7FPPYhmFRChMwCfLew7sEGQAEKQFzKByvkFs
      MVtI5LHsuSPrVU3QfWJKpbSlpFmFxSWRpv6mCZ8GEG2PgQxkQF5zAJrgLmWYVBAA
      cJjI4e00X9icxw3A1iNZRfz+VXqG7pRgIvGu0eZVRvaZxRsIdF+ssGSEj4k4HKGn
      kCFPAm694GFn1PhChw8K98kEbSqpL+9Cpd/do1PbmB6B+Zpye1reTz5/olig4het
      ZwIDAQABo4IBIzCCAR8wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
      AQAwHQYDVR0OBBYEFPXN1TwIUPlqTzq3l9pWg+Zp0mj3MEUGA1UdIAQ+MDwwOgYE
      VR0gADAyMDAGCCsGAQUFBwIBFiRodHRwczovL3d3dy5hbHBoYXNzbC5jb20vcmVw
      b3NpdG9yeS8wMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nbG9iYWxzaWdu
      Lm5ldC9yb290LmNybDA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6
      Ly9vY3NwLmdsb2JhbHNpZ24uY29tL3Jvb3RyMTAfBgNVHSMEGDAWgBRge2YaRQ2X
      yolQL30EzTSo//z9SzANBgkqhkiG9w0BAQsFAAOCAQEAYEBoFkfnFo3bXKFWKsv0
      XJuwHqJL9csCP/gLofKnQtS3TOvjZoDzJUN4LhsXVgdSGMvRqOzm+3M+pGKMgLTS
      xRJzo9P6Aji+Yz2EuJnB8br3n8NA0VgYU8Fi3a8YQn80TsVD1XGwMADH45CuP1eG
      l87qDBKOInDjZqdUfy4oy9RU0LMeYmcI+Sfhy+NmuCQbiWqJRGXy2UzSWByMTsCV
      odTvZy84IOgu/5ZR8LrYPZJwR2UcnnNytGAMXOLRc3bgr07i5TelRS+KIz6HxzDm
      MTh89N1SyvNTBCVXVmaU6Avu5gMUTu79bZRknl7OedSyps9AsUSoPocZXun4IRZZUw==
      -----END CERTIFICATE-----
    certificate: |
      -----BEGIN CERTIFICATE-----
      MIIHBjCCBe6gAwIBAgISA1Vc/rWFC4cKKyIJ2Y/PHFJwMA0GCSqGSIb3DQEBCwUA
      MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
      ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA0MjQxMTA5NDFaFw0x
      ODA3MjMxMTA5NDFaMBgxFjAUBgNVBAMTDWs1YnMudG9jY28uY2gwggIiMA0GCSqG
      SIb3DQEBAQUAA4ICDwAwggIKAoICAQC6t/xTGDeaqtM+2EDBRNo4ypfGw56IMIae
      CzgUuoKanXhFX6W8YfATG73L7AjwKS32s/SuBrfSTBOgLJkLTXzb+Nc4Wli8usrI
      fkaEcOOS949BDvIzTkGnQeba0t7xiwr991JFq4xlu/OKO588npHLdmb2IBuvDr7H
      GPSEuTocjdsTW0TrzwPJjH6ulH/XxthWYQP2ZCBg1n9kn/Bp7YcpkIZMGfqR0ix1
      bPvwosioNNv/KbmSFjA7o0biKZBaTdKO6UuQHbNlIs1gLlyJjnG6MiABM6TZaHBK
      pruH84rD5H5S7BVXkHOyVKNBaO+yQ8WDRioTOICpcCJl9v76a65Ep8dTefnxYGZV
      CiKotRuQc+gd90btWxwtIpOGFpEKe7azTTpmqv3ZNQpnxtfQrewI69+V1RY3rOIl
      zIx4cSHnJFn0MTrwhNfzoUL//o/djSg+4CuN6clKU2v1dq5VUpP21i2Pw7lBr8ZE
      m4o7ZIE10WWMD/S8Lc7bBEIZA8+gLJWIuI9l/tFGrCqA+SI+WaES93YVMbK0sPCm
      SxuKzYrkaR9F+wNsdr4PiEp3XmsV+YVWx+fJe89OfCbreylOZLmVX7IqNoWYzBlo
      N7WTOy5g3NFwL8pBoiIVHCh1ketywo0wVJrX+Po8yabWDEFeCiWGdcOu2QAPshO1
      cjvSPMqQIwIDAQABo4IDFjCCAxIwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQG
      CCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBR85T26
      UoNeNo2jtB8mQO6ON0mltTAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86js
      oTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14
      My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14
      My5sZXRzZW5jcnlwdC5vcmcvMBgGA1UdEQQRMA+CDWs1YnMudG9jY28uY2gwgf4G
      A1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUF
      BwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4M
      gZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJl
      bHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENl
      cnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9y
      Zy9yZXBvc2l0b3J5LzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3ANt0r+7LKeyx
      /so+cW0s5bmquzb3hHGDx12dTze2H79kAAABYvePOegAAAQDAEgwRgIhAIB3wPid
      0RXxrCcKSxMWNTyoB42O/P06ZBj1jVLQ89hhAiEA9W3u+5Ns2vLrl5lCDDebbsm6
      g89CRY4gGUunGMnpIaIAdgApPFGWVMg5ZbqqUPxYB9S3b79Yeily3KTDDPTlRUf0
      eAAAAWL3jzoNAAAEAwBHMEUCIHdcLMGAEIqaaE6pHP0GXHvKg4B3HuuqXTQ6xS7d
      M+l0AiEAjsY+2+8i7XlcEEnrPX3hKaCRYoEdOShnqqkGSNz2RyEwDQYJKoZIhvcN
      AQELBQADggEBAFvevOxb3gRar3XpMOip+0muXP7O5rd30M1DPoHa0CVzndQNbIfg
      rC7BmYOd+m0LZM+TBM7OPxfUVYT5n2DA9LBfyHmLudnkVhQjnErPMfGlD7R6bZkt
      dNvjFiiAAbzLlMaUnZSSfjjFKijLZk1ALix5sNL/Ogamxf9Se7IfesdKeEHzpULb
      WPFQuv/OWwGlRFUtQ3ZAfg8MxpDJ4b0HOPpxAzGn84hjOSK1xJMwT5n637+82Xby
      cjQR3rrj1egveeLYBpendaVb89h/IX2LjYyreRqm8AX+1JHvFojHmZDi6qXOhjTS
      +GAMI8D01lmtRloV1+2Hynh8+0+jPDMiSsk=
      -----END CERTIFICATE-----
      -----BEGIN CERTIFICATE-----
      MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
      MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
      DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
      SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
      GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
      AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
      q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
      SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
      Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
      a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
      /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
      AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
      CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
      bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
      c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
      VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
      ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
      MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
      Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
      AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
      uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
      wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
      X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
      PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
      KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
      -----END CERTIFICATE-----
    insecureEdgeTerminationPolicy: Redirect
    key: |
      -----BEGIN RSA PRIVATE KEY-----
      …
      -----END RSA PRIVATE KEY-----
    termination: edge
  to:
    kind: Service
    name: nice
    weight: 100
  wildcardPolicy: None
status:
  ingress:
  - conditions:
    - lastTransitionTime: 2018-04-24T12:09:42Z
      message: |2-

          - spec.tls.certificate: Invalid value: "redacted certificate data": error verifying certificate: x509: certificate signed by unknown authority
      reason: ExtendedValidationFailed
      status: "False"
      type: Admitted
    host: k5bs.tocco.ch
    routerName: router
    wildcardPolicy: None

The text was updated successfully, but these errors were encountered:

tnozicka · 2018-04-24T14:07:20Z

Removing the old caCertificate seems reasonable.

Could you try to remove it manually and can confirm that fixes the issue? (I can follow up with a PR if that's confirmed.)

pgerber · 2018-04-24T14:24:24Z

Yes, I can confirm that manually removing caCertificate resolves the issue.

openshift-bot · 2019-03-22T21:47:20Z

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot · 2019-04-21T23:19:43Z

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten
/remove-lifecycle stale

openshift-bot · 2019-05-22T00:34:58Z

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

openshift-ci-robot · 2019-05-22T00:35:06Z

@openshift-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

tnozicka · 2019-06-27T15:42:22Z

/reopen
/remove-lifecycle rotten
/lifecycle frozen
/kind bug

openshift-ci-robot · 2019-06-27T15:42:23Z

@tnozicka: Reopened this issue.

In response to this:

/reopen
/remove-lifecycle rotten
/lifecycle frozen
/kind bug

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

ykoyfman · 2020-12-08T17:14:13Z

Ran into this issue with OpenShift 4.3 - also resolved by manually removing caCertificate.

pgerber changed the title ~~caCertificate not removed (ExtendedValidationFailed)~~ caCertificate not removed/updated (ExtendedValidationFailed) Apr 24, 2018

openshift-ci-robot added the lifecycle/stale label Mar 22, 2019

openshift-ci-robot added lifecycle/rotten and removed lifecycle/stale labels Apr 21, 2019

openshift-ci-robot closed this as completed May 22, 2019

openshift-ci-robot reopened this Jun 27, 2019

openshift-ci-robot added kind/bug lifecycle/frozen and removed lifecycle/rotten labels Jun 27, 2019

traceygithub mentioned this issue Apr 29, 2021

Duplicated CA certs cause "ExtendedValidationFailed" redhat-cop/cert-utils-operator#89

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

caCertificate not removed/updated (ExtendedValidationFailed) #68

caCertificate not removed/updated (ExtendedValidationFailed) #68

pgerber commented Apr 24, 2018

tnozicka commented Apr 24, 2018

pgerber commented Apr 24, 2018

openshift-bot commented Mar 22, 2019

openshift-bot commented Apr 21, 2019

openshift-bot commented May 22, 2019

openshift-ci-robot commented May 22, 2019

tnozicka commented Jun 27, 2019

openshift-ci-robot commented Jun 27, 2019

ykoyfman commented Dec 8, 2020

caCertificate not removed/updated (ExtendedValidationFailed) #68

caCertificate not removed/updated (ExtendedValidationFailed) #68

Comments

pgerber commented Apr 24, 2018

tnozicka commented Apr 24, 2018

pgerber commented Apr 24, 2018

openshift-bot commented Mar 22, 2019

openshift-bot commented Apr 21, 2019

openshift-bot commented May 22, 2019

openshift-ci-robot commented May 22, 2019

tnozicka commented Jun 27, 2019

openshift-ci-robot commented Jun 27, 2019

ykoyfman commented Dec 8, 2020