Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Che 7, TLS and self signed certs

See original GitHub issue

There are multiple problems:

Failed to start a Che 7 workspace if Che deployment is configured to use self signed cert

2019-02-07 18:23:32,549[aceSharedPool-1]  [WARN ] [.i.k.KubernetesInternalRuntime 249]  - 
Failed to start Kubernetes runtime of workspace workspaceq1ys0pxhpfgzgmu8. 
Cause: Plugins installation process failed. Error: Unrecoverable event occurred: 
'FailedMount', 'MountVolume.SetUp failed for volume "che-self-signed-cert" : secret 
"che-self-signed-cert" not found', 'workspaceq1ys0pxhpfgzgmu8.che-plugin-broker'

A secret with cert body isn’t created but che-plugin-broker pod is configured to use it

Once #1 is fixed I expect that che-plugin-broker isn’t aware of such a cert and will fail to communicate with master using tls route/ingress.
Once #1 and #2 is solved, Theia server side will be the next suspect since Theia communicates with Che master to grab workspace config and other info. So, Theia should also use the cert or trust all insecure endpoints.

@slemeur @l0rd is this smth that should be taken care of for after beta Che 7 releases?

Issue Analytics

State:
Created 5 years ago
Comments:20 (17 by maintainers)

Top GitHub Comments

4reactions

l0rdcommented, Jul 30, 2019

@gorkem it wasn’t actually. I have added that to the GA list. Still wondering what we need to do to fix this. Will try to make a list here:

wsmaster/keycloak side should be already addressed
fix the issue faced by @johnmcollier: volume created but the secret with the self-signed cert is not https://github.com/eclipse/che/issues/13433
make sure that che-theia trusts the self-signed cert https://github.com/eclipse/che/issues/12634
make sure that che-plugin-broker trusts the self-signed cert

@skabashnyuk @benoitf @sleshchenko please review this list and comment if I am missing something

@johnmcollier can you provide more details to reproduce your problem? To setup the self-signed cert have you followed Che 6 documentation? With what stack are you testing?

1reaction

l0rdcommented, Feb 11, 2019

@eivantsov I see it like a requirement for Che 7 GA, not beta. @benoitf self signed certs were considered critical for Che 6 because we considered that let’s encrypt doesn’t work for every use case.

Top Results From Across the Web

How to create a valid self signed SSL Certificate? - YouTube

In this video, I will explain how to generate valid self - signed SSL certificates for your internal network. We will use an...

What is a Self-Signed Certificate? Advantages, Risks ...

Privately-trusted SSL/TLS certificates are used to authenticate users and devices on the internal network. A privately-trusted certificate can ...

Chapter 3. Installing CodeReady Workspaces in TLS mode ...

Deploying CodeReady Workspaces with self-signed TLS certificates on OpenShift 4 ... Customizing the CheCluster Custom Resource for restricted environment.

How to Create a Self-Signed TLS Certificate on Debian 10

Self -signed TLS certificates are suitable for internal use within an organization. This guide shows how to create a certificate with OpenSSL ...

Adding a self-signed certificate to the "trusted list"

All the TLS should be vectored through OpenSSL, so that's the place to look for documentation. In this case: gagravarr.org/writing/openssl-certs/… looks useful.