OpenShift 3.11 - custom default route certificate failing with certificate has expired or is not yet valid

2 min read | by Jordi Prats

After trying to set a custom default certificate for the OpenShift routes we might see how it's Pods starts crashing:

$ kubectl get pods NAME READY STATUS RESTARTS AGE router-10-rh8vf 1/1 Running 0 32m router-10-f2dt2 0/1 CrashLoopBackOff 6 7m router-10-m45b7 1/1 Running 0 31m 

Checking it's logs we'll get a quite misleading message:

$ kubectl logs router-10-f2dt2 -n default Error from server: Get https://some.openshift.cluster:10250/containerLogs/default/router-10-f2dt2/router: x509: certificate has expired or is not yet valid 

To set a custom default certificate for routes (that don't have the certificate explicitly set) we need to update the router-certs Secret in the default namespace:

$ kubectl get secret router-certs NAME TYPE DATA AGE router-certs kubernetes.io/tls 2 5h 

In it we need to update two keys: tls.crt and tls.key but if we do so it will start crashing. What we really need to do is append the private key with the certificate into tls.crt like so:

$ kubectl get secret router-certs -n default -o jsonpath='{.data.tls\.crt}' | base64 -d -----BEGIN CERTIFICATE----- (...) CHAIN CERT (...) -----END CERTIFICATE----- (...) -----BEGIN CERTIFICATE----- (...) CERTIFICATE (...) -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- (...) PRIVATE KEY (...) -----END RSA PRIVATE KEY----- 

Don't know why you need to do so, but to be honest, I don't want to know because it will not make any sense.

Posted on 04/07/2023