Che: TLS with CRC does not work in Chrome/Chromium
Describe the bug
The process described to work with self-signed certificates in Che does not work on the combination of CRC 1.11.0, Che nightly and Chrome/Chromium
Che version
- [ ] latest
- [x] nightly
- [ ] other: please specify
Steps to reproduce
- Install Che on crc as described
- go to https://che-che.apps-crc.testing/ with the browser
- Observe: you get an error page mentioning NET::ERR_CERT_AUTHORITY_INVALID
- Run
chectl cacert:export -p crc - In the browser, go to settings->privacy and security->manage certificates
- On the "trusted root certification authorities" tab, press "import"
- Import the file ~/cheCA.crt
- Observe: Chrome warns you about importing a root cert for *.apps-crc.testing
- Import the cert anyway
- Observe: the "trusted root certification authorities" tab does not show a cert for *.apps-crc.testing
- Restart the browser
- go to https://che-che.apps-crc.testing/
13: observe: you still get the error NET::ERR_CERT_AUTHORITY_INVALID
Expected behavior
Ideally, just having to accept the certificate in the browser page, instead of importing a root cert authority
Failing that, I would like the import to work.
Runtime
- [ ] other: crc 1.11.0
Screenshots
Installation method
chectl -a operator -p crc
Environment
- [ ] my computer
- [x] Windows
- [ ] Linux
- [ ] macOS
tsmaeder
All 11 comments
sunix
on 5 Jun 2020
Ideally, just having to accept the certificate in the browser page, instead of importing a root cert authority
That's currently possible if we deploy Che in single-host mode. Single-host mode currently works on k8s but not on openshift. Platform team is working to support single-host on OpenShift too. Once it's supported on both platforms we should make it the default.
l0rd
on 8 Jun 2020
@l0rd this is blocking dogfooding for me: in the past, I used minishift, but was instructed to move to crc, since minishift is legacy.
Having some folks develop in crc is desirable, since OpenShift is generally more restrictive than Kubernetes.
tsmaeder
on 8 Jun 2020
Also, do we know I have no way to test this, but we should analyze if this bug affects OpenShift 4 in general, not just crc.
tsmaeder
on 8 Jun 2020
@tsmaeder agreed. That's a critical usabiliy issue. I just wanted to share some info about the work that is in progress to remove the need to locally install a certificate at all.
l0rd
on 8 Jun 2020
@l0rd @tsmaeder is
oc get secret router-ca -n openshift-ingress-operator -o 'go-template={{index .data "tls.crt"|base64decode}}' > ca.crt
working for you?
This is what we would tell anyone who have installed Che through the openshift4 operator hub to do to retrieve the certificate. These people may not have chectl installed.
sunix
on 8 Jun 2020
@sunix that does not even run on Windows (no base64decode).
@l0rd this is not a usability issue, it's blocking me from working on any che-theia stuff, since openshift.io is not a workable platform for self-hosting. I have no workaround right now.
tsmaeder
on 10 Jun 2020
@tsmaeder you can remove the base64 decode and decode it online: https://www.base64decode.org/
If this can help to for your self-hosting.
sunix
on 11 Jun 2020
@sunix not sure how that would work: I don't understand what this syntax does: "-o 'go-template={{index .data "tls.crt"|base64decode}}'"
tsmaeder
on 15 Jun 2020
After reading up on go template syntax, I've been able to create a certificate file via @sunix's instructions. Importing that certificate file works. However, reexporting a certificate via chectl cacert:export and importing that file leads to the problem described in this bug.
As I have a workaround, I'm stopping investigation on this bug.
tsmaeder
on 16 Jun 2020
The exact incantation on Windows is:
oc get secret router-ca -n openshift-ingress-operator -o "go-template={{index .data \"tls.crt\"}}" > ca.crt
You then have to base-64 decode the contents of the resulting file and then can import the certificate.
tsmaeder
on 31 Aug 2020
Related issues
sleshchenko
路
3Comments
l0rd
路
3Comments
skabashnyuk
路
3Comments
Ohrimenko1988
路
3Comments
LaneGeek
路
3Comments