OpenShift edge TLS termination route does not work. CWWKO0801E: Unable to initialize SSL connection
Can anyone pls help me with Open-Shift Routes?
I have setup a Route with Edge TLS termination, calls made to the service endpoint (https://openshift-pmi-dev.apps.vapidly.os.fyre.ibm.com) results in:
502 Bad Gateway
The server returned an invalid or incomplete response.Logs from the pod has the below error I make a REST call using the endpoints
CWWKO0801E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at com.ibm.jsse2.c.a(c.java:6)
at com.ibm.jsse2.as.a(as.java:532)
at com.ibm.jsse2.as.unwrap(as.java:580)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:5)
at com.ibm.ws.channel.ssl.internal.SSLConnectionLink.readyInbound(SSLConnectionLink.java:515)Default Passthrough route termination works!, but this does not let me specify Path Based Routes. Hence trying to use Route with Edge TLS Termination I am trying to route traffic from /ibm/pmi/service to apm-pm-api-service, and /ibm/pmi to apm-pm-ui-service using a single hostname https://openshift-pmi-dev.apps.vapidly.os.fyre.ibm.com.
I have SSL certs loaded into the edge route, liberty service uses the same certs via secrets defined in the deployment.yaml.
I am unable to identify the root cause of this SSL related error, is this coming from the wlp liberty application server or an issue with openshift routes?
Any suggestions on how to get the liberty application working.
Thanks for your help in advance!
Attaching the route.yaml
kind: Route
apiVersion: route.openshift.io/v1
metadata:
name: openshift-pmi-dev
namespace: default
selfLink: /apis/route.openshift.io/v1/namespaces/default/routes/openshift-pmi-dev
uid: 9ba296f6-1611-11ea-a1ab-0a580afe00ab
resourceVersion: '6819345'
creationTimestamp: '2019-12-03T21:12:26Z'
annotations:
haproxy.router.openshift.io/balance: roundrobin
haproxy.router.openshift.io/hsts_header: max age=31536000;includeSubDomains;preload
spec:
host: openshift-pmi-dev.apps.vapidly.os.fyre.ibm.com
subdomain: ''
path: /ibm/pmi/service
to:
kind: Service
name: apm-pm-api-service
weight: 100
port:
targetPort: https
tls:
termination: edge
certificate: |
-----BEGIN CERTIFICATE-----
<valid cert>
-----END CERTIFICATE-----
key: |
-----BEGIN RSA PRIVATE KEY-----
<valid cert>
-----END RSA PRIVATE KEY-----
caCertificate: |
-----BEGIN CERTIFICATE-----
<valid cert>
-----END CERTIFICATE-----
insecureEdgeTerminationPolicy: Redirect
wildcardPolicy: None
status:
ingress:
- host: openshift-pmi-dev.apps.vapidly.os.fyre.ibm.com
routerName: default
conditions:
- type: Admitted
status: 'True'
lastTransitionTime: '2019-12-03T21:12:26Z'
wildcardPolicy: None
routerCanonicalHostname: apps.vapidly.os.fyre.ibm.comChanging the Route to Re-encryte, results in Application is not available 502 error. It seems like the requests are not reaching the service.
Similar Questions
2 Answers
Issue resolved after changing the following:
- enable http on the liberty application (server.xml)
- expose the http port on the docker file
- enable the http port on the service.yaml
- use th http port on the edge route.
Edge termination means http (plaintext) to the back end service, but your route goes out of its way to send http to the https port.
Either drop the port:https or use 'reencrypt' termination instead of 'edge'