CCI-MOC / moc-infra-config

0 stars 3 forks source link

Fix the dnsName for ingrescontroller cert #21

Closed naved001 closed 3 months ago

naved001 commented 3 months ago

The dnsName in the certificate needs to be fixed, but I am unsure if the error message in the cert-manager pod is due to this.

err="failed to change Route 53 record set: InvalidChangeBatch: [RRSet with DNS name _acme-challenge.moc-infra.massopen.cloud. is not permitted in zone acme.massopen.cloud.]" key="openshift-ingress/default-ingress-certificate-1-3305975815-2811422701"

naved001 commented 3 months ago

I agree that the error message seems like it may be a different problem, but I would need to take a look at the IAM config. Maybe tomorrow?

Sure.

In theory using *.moc-infra.massopen.cloud would work, and might even be useful (e.g., you could create certificate for https://console.moc-infra.massopen.cloud instead of https://console.apps.moc-infra.massopen.cloud).

that would require an appropriate CNAME record configured. And we'll still need a cert for *.apps.moc-infra.massopen.cloud anyway.

naved001 commented 3 months ago

@larsks looks like that was it, the certificate was issued:

➜  ~ oc get orders -A
NAMESPACE           NAME                                       STATE   AGE
openshift-config    default-api-certificate-1-1983336905       valid   64m
openshift-ingress   default-ingress-certificate-1-2129140369   valid   2m51s