How to redeploy the default router certificate on Minishift

When working with Minishift, the default installation will configure a self-signed server certificate for the router with the *.router.default.svc.cluster.local hostname. Applications exposed by secured routes then will use this certificate unless you change them to use a custom one.

Some applications that would access your pods through the exposed secure routes might fail to pass on TLS hostname verification. I faced this problem while connecting to Keycloak OAuth2 endpoints through a Spring Cloud Gateway application:

Caused by: java.security.cert.CertificateException: No subject alternative names present

This error occurred because the Keycloak URL was something like:

https://sso-keycloak.192.168.42.54.nip.io

And the hostname added to the default certificate (*.router.default.svc.cluster.local) didn’t match with it.

To solve this problem I had to re-create the certificate for the default cluster router.

Recreating the default self-signed certificate

To create a new certificate for the router, you have to have access to the generated CA during the Minishift installation.

Minishift is a virtual machine with an all-in-one cluster installation and the original certificate could be hard to find:

1. ssh into the Minishift machine by running minishift ssh and become root: sudo su -
2. The directory you’re looking for is /var/lib/minishift/base/openshift-apiserver. Copy the files ca.crt, ca.key and ca.serial.txt to your local machine ( just cat the files and copy and paste on your local filesystem).
3. Them execute the following command on the terminal:

oc adm ca create-server-cert --signer=ca.crt --signer-key=ca.key --signer-serial=ca.serial.txt --hostnames='*.nip.io,*.router.default.svc.cluster.local' --cert=router.crt --key=router.key

The new key and certificate pair will be generated on your local machine.

Note that I added the *.nip.io wildcard hostname to the list besides the default one. This is what will correct the hostname validation error since every route created on Minishift will use this hostname wildcard.

Now it’s time to add this new certificate to your default router:

# cat router.crt ca.crt router.key > router.pem
# oc secrets new router-certs tls.crt=router.pem tls.key=router.key -o json --type='kubernetes.io/tls' --confirm | oc replace -f -
# oc rollout latest router

And your done. Access a exposed secure route in your cluster and take a look at the Subject Alternative Name:

There are now to entries for the DNS Name. The default one to retain compatibility with the installation and your local domain.

Now clients that do the hostname validation check should connect to your applications without any issues.