1Password on Mastodon

Error LetsEncrypt with TLS Endpoint LoadBalancer

cdesaintlegercdesaintleger
Community Member

Hello,
i'm trying to deploy op-scim-helm chart on a Kubernetes GKE cluster with an external LoadBalancer and Traefikee as ingress controller.
The certificate is correctly configured with the ingress route.
But during the setup , i'm blocked with thiss error message :

ERR failed to get TLS config error="Network: (certificate manager failed to get certificate), : obtaining certificate: [] Obtain: subject does not qualify for a public certificate: " application=op-scim build=207031 version=2.7.3

I tryed to disable LE adding this env var : OP_LETSENCRYPT_DOMAIN="" but no improvement .

I configured the deployment as below :


...
- command:
- /op-scim/op-scim
env:
- name: OP_PORT
value: "8080"
- name: OP_SESSION
value: /home/opuser/.op/scimsession
- name: OP_WORKSPACE_SETTINGS
value: /home/opuser/.op/workspace-settings.json
- name: OP_WORKSPACE_CREDENTIALS
value: /home/opuser/.op/workspace-credentials.json
- name: OP_REDIS_URL
value: redis://onepwd-cc-redis-master:6379
- name: OP_PING_SERVER
value: "true"
- name: OP_LETSENCRYPT_DOMAIN
image: 1password/scim:v2.7.3

...

Somebody has already encounter this type of issue ?
Thank you for your help.
Best.
Ch.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Kubernetes 1.22
Browser:_ Chrome

Comments

  • Jack.P_1PJack.P_1P

    Team Member

    Hi @cdesaintleger:

    Looking at your deployment configuration, to confirm, did you unset OP_LETSENCRYPT_DOMAIN, or did you set it to the value of ""? 1Password SCIM Bridge will skip provisioning a certificate if the value of OP_LETSENCRYPT_DOMAIN is set specifically to "". Let me know.

    Jack

  • cdesaintlegercdesaintleger
    Community Member

    Hello @Jack.P_1P ,
    Yes i can confirm you that the env var is set with an empty string

                - name: "OP_LETSENCRYPT_DOMAIN"
                  value: ""
    

    And the complete logs remains :

    9:29AM INF attempting to acquire TLS certificate application=op-scim build=207031 domain= version=2.7.3
    9:29AM INF registering new health component application=op-scim build=207031 component=CertificateManager service=health version=2.7.3
    1.674206961435271e+09   info    maintenance started background certificate maintenance  {"cache": "0xc0002881c0"}
    9:29AM INF starting certificate manager application=op-scim build=207031 component=CertificateManager domain= version=2.7.3
    9:29AM ERR failed to get TLS config error="Network: (certificate manager failed to get certificate), : obtaining certificate: [] Obtain: subject does not qualify for a public certificate: " application=op-scim build=207031 version=2.7.3
    
  • cdesaintlegercdesaintleger
    Community Member

    Hello @Jack.P_1P ,
    I resolved the issue keeping the env var OP_LETSENCRYPT_DOMAIN with an empty string and set the other var OP_DOMAIN.
    But on a fresh installation ( tested 2 times on dev and prod env ) , we must restart the pod 1 time to works properly. Maybe the configuration is not correctly loaded the first pod start ? i don't know.

    For me this issue is resolved.
    Thank you for your help.

    Best regards,
    Ch.

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file