Uploaded image for project: 'Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces) '
  1. Red Hat OpenShift Dev Spaces (formerly CodeReady Workspaces)
  2. CRW-577

CRW 2.0 fails to install with TLS, Che server can't use TLS with RHSSO

XMLWordPrintable

    • Hide

      Following instructions from CRW 2.0 Installation doc [1]:
      ----------------------------------------------------------------------
      Create a new project called codeready-workspaces:

      $ oc new-project codeready-workspaces

      Run the following command to create the CodeReady Workspaces instance:

      $ crwctl server:start --platform=openshift --installer=operator --domain=<OPENSHIFT_APPS_URL> --tls
      ------------------------------------------------------------------------------

      After this, observe CRW Server pod never passes health checks. Looking at the log reveals likely TLS problems between CRW Server and Keycloak.

      The problem has been repeatedly reproduced in a CEE lab.

      [1] https://access.redhat.com/documentation/en-us/red_hat_codeready_workspaces/2.0/html-single/installation_guide/index#installing-codeready-workspaces-on-openshift-3-using-the-operator-and-ssl_installing-codeready-workspaces-on-openshift-3-using-the-operator

      Show
      Following instructions from CRW 2.0 Installation doc [1] : ---------------------------------------------------------------------- Create a new project called codeready-workspaces: $ oc new-project codeready-workspaces Run the following command to create the CodeReady Workspaces instance: $ crwctl server:start --platform=openshift --installer=operator --domain=<OPENSHIFT_APPS_URL> --tls ------------------------------------------------------------------------------ After this, observe CRW Server pod never passes health checks. Looking at the log reveals likely TLS problems between CRW Server and Keycloak. The problem has been repeatedly reproduced in a CEE lab. [1] https://access.redhat.com/documentation/en-us/red_hat_codeready_workspaces/2.0/html-single/installation_guide/index#installing-codeready-workspaces-on-openshift-3-using-the-operator-and-ssl_installing-codeready-workspaces-on-openshift-3-using-the-operator

      Attempting a crwctl installation of CRW 2.0 fails when TLS flag is used.

      The Che server pod never passes health checks. Looking at the logs, it seems there is a TLS problem when Che server tries to call Keycloak.

      ----------------------- Edited stack trace from Che server follows ---------------
      Caused by: java.lang.RuntimeException: Exception while retrieving OpenId configuration from endpoint: https://keycloak-workspaces.apps.ricksche2.lab.upshift.rdu2.redhat.com/auth/realms/codeready/.well-known/openid-configuration
      at org.eclipse.che.multiuser.keycloak.server.KeycloakSettings.<init>(KeycloakSettings.java:104)
      ......
      at java.lang.Thread.run(Thread.java:748)
      Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to
      requested target
      at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
      ... 138 more
      Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
      ... 152 more
      Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
      ... 158 more

        1. keycloak.log
          38 kB
          Rick Wagner

            nickboldt Nick Boldt
            rhn-support-rick Rick Wagner
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: