Che: Che 7, TLS and self signed certs

Created on 8 Feb 2019  路  20Comments  路  Source: eclipse/che

There are multiple problems:

  1. Failed to start a Che 7 workspace if Che deployment is configured to use self signed cert
2019-02-07 18:23:32,549[aceSharedPool-1]  [WARN ] [.i.k.KubernetesInternalRuntime 249]  - 
Failed to start Kubernetes runtime of workspace workspaceq1ys0pxhpfgzgmu8. 
Cause: Plugins installation process failed. Error: Unrecoverable event occurred: 
'FailedMount', 'MountVolume.SetUp failed for volume "che-self-signed-cert" : secret 
"che-self-signed-cert" not found', 'workspaceq1ys0pxhpfgzgmu8.che-plugin-broker'

A secret with cert body isn't created but che-plugin-broker pod is configured to use it

  1. Once #1 is fixed I expect that che-plugin-broker isn't aware of such a cert and will fail to communicate with master using tls route/ingress.

  2. Once #1 and #2 is solved, Theia server side will be the next suspect since Theia communicates with Che master to grab workspace config and other info. So, Theia should also use the cert or trust all insecure endpoints.

@slemeur @l0rd is this smth that should be taken care of for after beta Che 7 releases?

kinepic severitP1 teaeditors teahosted-che teaplatform
Source
picture ghost

Most helpful comment

@gorkem it wasn't actually. I have added that to the GA list. Still wondering what we need to do to fix this. Will try to make a list here:

  • [x] [wsmaster/keycloak side should be already addressed](https://www.eclipse.org/che/docs/che-6/openshift-config.html#https-mode---self-signed-certs)
  • [x] fix the issue faced by @johnmcollier: volume created but the secret with the self-signed cert is not https://github.com/eclipse/che/issues/13433
  • [x] make sure that che-theia trusts the self-signed cert https://github.com/eclipse/che/issues/12634
  • [x] make sure that che-plugin-broker trusts the self-signed cert

@skabashnyuk @benoitf @sleshchenko please review this list and comment if I am missing something

@johnmcollier can you provide more details to reproduce your problem? To setup the self-signed cert have you followed Che 6 documentation? With what stack are you testing?

picture l0rd on 13 May 2019
👀2 👍2

All 20 comments

That sounds like a bug/regression.
We should be looking at this and testing it for the beta.

slemeur picture slemeur on 8 Feb 2019

@slemeur it's hard to treat this as a bug because we didn't have this feature before for Che7. All activity we did relate to TLS and self-signed certs were made for che master and GWT-based IDE.

skabashnyuk picture skabashnyuk on 8 Feb 2019

CC @evidolob @benoitf @garagatyi @ibuziuk

skabashnyuk picture skabashnyuk on 8 Feb 2019

hello, would let's encrypt help ?

Because with let's encrypt I don't see anymore many ppl using self-signed certificates.
if you really want to setup che with https then you've probably your own domain. In development mode you're probably using nip.io and there is some rate limits on this highly used domain by let's encrypt

benoitf picture benoitf on 8 Feb 2019

@benoitf so you propose not to have support for self signed certs?

Let's encrypt requires a public dns - this isn't always the case for many.

ghost picture ghost on 8 Feb 2019

@eivantsov I see it like a requirement for Che 7 GA, not beta. @benoitf self signed certs were considered critical for Che 6 because we considered that let's encrypt doesn't work for every use case.

l0rd picture l0rd on 11 Feb 2019
👍1

Just wondering if there's any updates on this? Is a fix for this targeted for the Che 7 GA? Hitting the same issue on my cluster with self-signed certs:

Error: Failed to run the workspace: "Plugins installation process failed. Error: Unrecoverable event occurred: 'FailedMount', 'MountVolume.SetUp failed for volume "che-self-signed-cert" : secret "workspacek7av6dqw93udgvtw-che-self-signed-cert" not found', 'workspacek7av6dqw93udgvtw.che-plugin-broker'"
johnmcollier picture johnmcollier on 24 Apr 2019

+1. Any updates on this would be helpful. Thanks!

bbalakriz picture bbalakriz on 6 May 2019

@l0rd Is this one part of GA plan?

gorkem picture gorkem on 11 May 2019

@gorkem it wasn't actually. I have added that to the GA list. Still wondering what we need to do to fix this. Will try to make a list here:

  • [x] [wsmaster/keycloak side should be already addressed](https://www.eclipse.org/che/docs/che-6/openshift-config.html#https-mode---self-signed-certs)
  • [x] fix the issue faced by @johnmcollier: volume created but the secret with the self-signed cert is not https://github.com/eclipse/che/issues/13433
  • [x] make sure that che-theia trusts the self-signed cert https://github.com/eclipse/che/issues/12634
  • [x] make sure that che-plugin-broker trusts the self-signed cert

@skabashnyuk @benoitf @sleshchenko please review this list and comment if I am missing something

@johnmcollier can you provide more details to reproduce your problem? To setup the self-signed cert have you followed Che 6 documentation? With what stack are you testing?

l0rd picture l0rd on 13 May 2019
👀2 👍2

@l0rd stack does not matter here. Just deploy Che in TLS mode with support of self signed certs. Installer script will create a secret self-signed-certificate with cert content. And in case of Che 7 secret for a workspace isn't created for plugin broker pod. As a result it cannot be scheduled.

ghost picture ghost on 14 May 2019

@vparfonov @skabashnyuk has one of you taken this issue in your sprint?

l0rd picture l0rd on 26 May 2019

@l0rd . It's something that has to be done for che-theia and che-plugin-broker. I guessed @evidolob or @ibuziuk can better tell the status.

skabashnyuk picture skabashnyuk on 27 May 2019

@skabashnyuk this issue is labelled team/platform isn't it? And the error faced by @johnmcollier happens before the plugin-btoker and che-theia are involved.

l0rd picture l0rd on 27 May 2019

this issue is labelled team/platform isn't it

That is correct. As well as osio and ide2 since they know about che-theia and plugin-brocker packaging and architecture more

And the error faced by @johnmcollier happens before the plugin-btoker and che-theia are involved.

The issue says that che-theia and plugin-brocker processes have to be taught to work with self-signed certificates.

Do you want us to take this task in the next sprint?

skabashnyuk picture skabashnyuk on 27 May 2019

@skabashnyuk I had listed 3 distincts subtasks above. The first task should be on your side. The remaining 2 should be easier to analyse / work on when the first one is fixed.

l0rd picture l0rd on 27 May 2019

Do you want us to take this task in the next sprint?

Yes please. Even if it's not a bug that's still a regression compared to Che 6 hence it's important.

l0rd picture l0rd on 27 May 2019

related to https://github.com/eclipse/che/issues/12971

slemeur picture slemeur on 29 May 2019

Che Plugin broker is almost adapted to self-signed certificates but unfortunately, Theia does not work out-of-the-box. Here is a demo of state of Che with self-signed certificates with changes that will be merged soon https://github.com/eclipse/che/pull/13565: https://youtu.be/8z8WXA82G28
For Theia part, there is a separate issue https://github.com/eclipse/che/issues/13574
cc @l0rd @slemeur @skabashnyuk @evidolob

sleshchenko picture sleshchenko on 19 Jun 2019

I believe there should not be any issues with self-signed certs, our testing result can be found here https://github.com/eclipse/che/issues/14035 and https://github.com/eclipse/che/issues/13869#issuecomment-518946736
Feel free to create a new issue if there still some issues

sleshchenko picture sleshchenko on 29 Aug 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

sleshchenko picture sleshchenko  路  3Comments
InterestedInTechAndCake picture InterestedInTechAndCake  路  3Comments
sleshchenko picture sleshchenko  路  3Comments
sleshchenko picture sleshchenko  路  3Comments
Ohrimenko1988 picture Ohrimenko1988  路  3Comments