Hostname verification failed in OpenShift when integration a external service using an External Domain Name

9/19/2018

I want to call a REST service running outside OpenShift via a Service and external domain name. This works perfect with a http:// request. The mechanism is described in the documentation : https://docs.okd.io/latest/dev_guide/integrating_external_services.html#saas-define-service-using-fqdn

However the external service is secured with https. In this case I got the following exception: Host name 'external-test-service' does not match the certificate subject provided by the peer (CN=.xxx, O=xxx, L=xxx, ST=GR, C=CH); nested exception is javax.net.ssl.SSLPeerUnverifiedException: Host name 'external-test-service' does not match the certificate subject provided by the peer (CN=.xxx, O=xxx, L=xxx, ST=GR, C=CH)

The exception is clear to me because we use the Service name from OpenShift. This name does not correspond to the origin host name in the certificate. So currently I see three possibilities to solve this issue:

  1. Add the name of the OpenShift Service to the certificate
  2. Deactivate hostname verification before calling the external REST service
  3. Configure OpenShift (don't know this is possible)

Has anybody solve this or a similar issue?

Currently I used OpenShift v3.9. We are running a simple Spring Boot application in a pod accessing REST services outside OpenShift.

Any hint will be appreciated.

Thank you

Markus

-- Markus
kubernetes
okd
openshift

1 Answer

9/19/2018
  1. Ugly and might cost you extra $
  2. Defeats the purpose of TLS.
  3. On Kubernetes 1.10 and earlier you can use ExternalName.

    You can also use with OpenShift.

  4. You can also use and Kubernetes Ingress with TLS. Also, documented for OpenShift

Hope it helps!

-- Rico
Source: StackOverflow