-
Bug
-
Resolution: Done
-
Major
-
2.5.1.GA
-
False
-
False
-
Undefined
-
-
-
We are trying to follow instructions on:
https://access.redhat.com/documentation/en-us/red_hat_codeready_workspaces/2.4/html/installation_guide/configuring-che_crw#importing-tls-certificates-to-codeready-workspaces-server-java-trustore_crw
With the following error:
fact descriptor for io.quarkus:quarkus-maven-plugin:jar:1.10.2.Final: Could not transfer artifact io.quarkus:quarkus-maven-plugin:pom:1.10.2.Final from/to dev-rm (https://example.com:8443/repository/maven-public/): Transfer failed for https://example.com:8443/repository/maven-public/io/quarkus/quarkus-maven-plugin/1.10.2.Final/quarkus-maven-plugin-1.10.2.Final.pom: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
The checluster crd in openshift-workspaces is patched correctly with 4 custom CA certificates.
But during the creation of coderready pod we can see in logs:
2021-01-20T19:57:40.813504486Z Found a custom cert. Adding it to java trust store /home/user/cacerts 2021-01-20T19:57:41.065438072Z Trust this certificate? [no]: 2021-01-20T19:57:41.066414092Z Certificate was added to keystore 2021-01-20T19:57:41.090583585Z chmod: changing permissions of '/home/user/cacerts': Operation not permitted 2021-01-20T19:57:41.095488949Z Found a custom cert. Adding it to java trust store /home/user/cacerts 2021-01-20T19:57:41.354880984Z Trust this certificate? [no]: 2021-01-20T19:57:41.355786562Z Certificate was added to keystore2021-01-20T19:57:41.355818961Z 2021-01-20T19:57:41.383988348Z chmod: changing permissions of '/home/user/cacerts': Operation not permitted 2021-01-20T19:57:41.387110051Z Found a custom cert. Adding it to java trust store /home/user/cacerts 2021-01-20T19:57:41.608781492Z Certificate already exists in keystore under alias <entrustrootcertificationauthority-g2> 2021-01-20T19:57:41.609458945Z Do you still want to add it? [no]: 2021-01-20T19:57:41.610605344Z Certificate was added to keystore 2021-01-20T19:57:41.638472116Z chmod: changing permissions of '/home/user/cacerts': Operation not permitted 2021-01-20T19:57:41.641139421Z Found a custom cert. Adding it to java trust store /home/user/cacerts 2021-01-20T19:57:41.874250333Z Certificate was added to keystore 2021-01-20T19:57:41.905802245Z chmod: changing permissions of '/home/user/cacerts': Operation not permitted 2021-01-20T19:57:41.908638341Z Found a custom cert. Adding it to java trust store /home/user/cacerts 2021-01-20T19:57:42.162432139Z Trust this certificate? [no]: 2021-01-20T19:57:42.163255819Z Certificate was added to keystore2021-01-20T19:57:42.163270713Z 2021-01-20T19:57:42.187646295Z chmod: changing permissions of '/home/user/cacerts': Operation not permitted
All previous checks are correct:
[rludva@server ~]$ oc get checluster/codeready-workspaces -o json | jq .spec.server.serverTrustStoreConfigMapName "test" [rludva@server ~]$ oc get pod codeready-5f98c7fc99-ll5t5 -o json | jq .spec.volumes [ { "configMap": { "defaultMode": 420, "name": "test" }, "name": "che-public-certs" }, { "name": "che-token-ttf29", "secret": { "defaultMode": 420, "secretName": "che-token-ttf29" } } ] [rludva@server ~]$ oc exec codeready-5f98c7fc99-ll5t5 -- ls /public-certs/ ca.crt caa.crt caaa.crt caaaa.crt
We are also a little bit confused about symbolic links in the /public-certs folder.
It looks like they are expected to be linked to ../data/<name>.crt but the '/' before 'data' folder is missing:
It is patched. The keycloak pod and codeready pod is recreated.
But it looks like the symbolic links are not created there correctly, not sure if it is related to described bug for Java TrustStore:
sh-4.4$ cd / sh-4.4$ ls -ld data public-certs drwxrwxrwx. 2 root root 6 Nov 6 17:35 data drwxrwsrwx. 3 root 1000610000 121 Jan 22 15:03 public-certs sh-4.4$ ls -la data total 0 drwxrwxrwx. 2 root root 6 Nov 6 17:35 . drwxr-xr-x. 1 root root 61 Jan 22 15:03 .. sh-4.4$ ls -la public-certs total 0 drwxrwsrwx. 3 root 1000610000 121 Jan 22 15:03 . drwxr-xr-x. 1 root root 61 Jan 22 15:03 .. drwxr-sr-x. 2 root 1000610000 68 Jan 22 15:03 ..2021_01_22_15_03_15.282434929 lrwxrwxrwx. 1 root root 31 Jan 22 15:03 ..data -> ..2021_01_22_15_03_15.282434929 lrwxrwxrwx. 1 root root 13 Jan 22 15:03 ca.crt -> ..data/ca.crt lrwxrwxrwx. 1 root root 14 Jan 22 15:03 caa.crt -> ..data/caa.crt lrwxrwxrwx. 1 root root 15 Jan 22 15:03 caaa.crt -> ..data/caaa.crt lrwxrwxrwx. 1 root root 16 Jan 22 15:03 caaaa.crt -> ..data/caaaa.crt sh-4.4$ ls -l /data total 0