Paul Bastide

Help… My Ingress is telling me OAuthServerRouteEndpointAccessibleControllerDegraded

Written by

Paul Bastide

in

,

My teammate hit an issue with Ingress Certificates not being valid:

oc get co ingress -oyaml
    message: |-
      OAuthServerRouteEndpointAccessibleControllerDegraded: Get "https://oauth-openshift.apps.mycluster.local/healthz": tls: failed to verify certificate: x509: certificate has expired or is not yet valid: current time 2025-04-02T17:58:35Z is after 2025-02-13T20:04:16Z
      RouterCertsDegraded: secret/v4-0-config-system-router-certs.spec.data[apps.mycluster.local] -n openshift-authentication: certificate could not validate route hostname oauth-openshift.apps.mycluster.local: x509: certificate has expired or is not yet valid: current time 2025-04-02T17:58:33Z is after 2025-02-13T20:04:16Z

The Red Hat docs and tech articles are great. I found How to redeploy/renew an expired default ingress certificate in RHOCP4?

I ran the following on a non-production cluster:

  1. Renewed the ingress CA:
oc get secret router-ca -oyaml -n openshift-ingress-operator> router-ca-2025-04-02.yaml
oc delete secret router-ca -n openshift-ingress-operator
oc delete pod --all -n openshift-ingress-operator
wait 30
oc get secret router-ca -n openshift-ingress-operator
oc get po -n openshift-ingress-operator
  1. Recreate the wild-card ingress certificate using the new ingress CA:
oc get secret router-certs-default -o yaml -n openshift-ingress > router-certs-default-2025-04-02.yaml
oc delete secret router-certs-default -n openshift-ingress 
oc delete pod --all -n openshift-ingress 
wait 30
oc get secret router-certs-default -n openshift-ingress 
oc get po -n openshift-ingress
  1. Checked the ingress
curl -v https://oauth-openshift.apps.mycluster.local/healthz -k
*  subject: CN=*.apps.mycluster.local
*  start date: Apr  2 19:08:33 2025 GMT
*  expire date: Apr  2 19:08:34 2027 GMT
  1. Update ca-trust
oc -n openshift-ingress-operator get secret router-ca -o jsonpath="{ .data.tls\.crt }" | base64 -d -i > ingress-ca-2025-04-02.crt
cp /root/ingress-ca-2025-04-02.crt /etc/pki/ca-trust/source/anchors/
update-ca-trust
  1. Login now works
oc login -u kubeadmin -p YOUR_PASSWORD https://api.mycluster.local:6443

You’ve seen how to recreate the cert.

You should use the cert-manager operator from Red Hat.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts