Closed kenthua closed 8 years ago
thoraxe
commented
8 years ago Where is the "never remember history" setting in Firefox?
I am using FF 45 on Fedora 22. I only got prompted once.
Sometimes Chrome prompts me a few times.
Internet Explorer works on Windows 7 with only one prompt.
I can't seem to reproduce this issue.
kenthua
commented
8 years ago Settings > Preferences > Privacy > History > "Firefox will: ..."
thoraxe
commented
8 years ago As a workaround we are creating (for other reasons) an openshift-master.CLUSTERID.R53ZONE entry that points to only one master and bypasses the ELB.
douglasawoods
commented
8 years ago Kent, Wouldn't the better approach be to generate a certificate with all Master IP addresses in the certificate CN?
-Doug
On Tue, Mar 29, 2016 at 5:41 PM, Kent Hua notifications@github.com wrote:
Each master instance has it's own certificate with a CN matching the associated ec2 internal IP (172.x...). This causes different issues with different browsers.
When I'm able to successfully login, the console displays alerts such as "Server connection interrupted", unable to get deployment config, etc. Is it due to certificate issues when ELB is spraying traffic to another server where a certificate may not have been accepted?
Issues go away when only the primary master is InService/enabled in openshift-MasterEx.
On OSX: When Firefox is set to "Never remember history" it will keep prompting regarding "Insecure Connection" certificate exception for each individual certificate.
When Firefox set to remember history (this allows for permanently storing the certificate), it will prompt less, but error alerts still pop up.
For Chrome it will prompt only once, but then error alerts pop up.
— You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub https://github.com/2015-Middleware-Keynote/demo-ansible/issues/110
kenthua
commented
8 years ago @douglasawoods I don't believe you can put multiple ips in a CN. It would normally be a wildcard dns. I could be wrong. I guess the question is, should it be the internal IP or the resolvable external address.
douglasawoods
commented
8 years ago Kent, I believe you can put wildcard*sub-domain in a CN, just like the wildcard we setup in the R53 Zone.
-Doug
On Wed, Mar 30, 2016 at 2:43 PM, Kent Hua notifications@github.com wrote:
@douglasawoods https://github.com/douglasawoods I don't believe you can put multiple ips in a CN. It would normally be a wildcard dns. I could be wrong. I guess the question is, should it be the internal IP or the resolvable external address.
— You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub https://github.com/2015-Middleware-Keynote/demo-ansible/issues/110#issuecomment-203573331
thoraxe
commented
8 years ago This is a combination problem with demo-ansible and the installer and how the installer generates certificates and what certificates are presented by masters.
The installer, in general, is not great about handling certificates. Given that there is already a workaround (use the openshift-master domain referenced above) I don't see a ton of value in trying to figure out how to generate the right certs and then get them to the masters so that a few users who have a particular setting in Firefox checked don't have issues....
Each master instance has it's own certificate with a CN matching the associated ec2 internal IP (172.x...). This causes different issues with different browsers.
When I'm able to successfully login, the console displays alerts such as "Server connection interrupted", unable to get deployment config, etc. Is it due to certificate issues when ELB is spraying traffic to another server where a certificate may not have been accepted?
Issues go away when only the primary master is InService/enabled in openshift-MasterEx.
On OSX: When Firefox is set to "Never remember history" it will keep prompting regarding "Insecure Connection" certificate exception for each individual certificate.
When Firefox set to remember history (this allows for permanently storing the certificate), it will prompt less, but error alerts still pop up.
For Chrome it will prompt only once, but then error alerts pop up.