Can't access Che if installed with tlsSupport: true and selfSignedCert: true

[johnmcollier]

Describe the bug

I tried installing Che with HTTPS (using my OpenShift cluster's self-signed certs) with the operator by setting tlsSupport: true and selfSignedCert: true.

The doc Deploying Che with HTTPS mode only has placeholder text so I wasn't sure if anything else is needed.

Anyhow, Che installs fine, but when I go to access the Che dashboard, I get an error in my browser saying: Authorization token is missing and I'm unable to do anything.

It seems that the Che dashboard is rejecting the certificate used in the keycloak route? If I hit the Keycloak route first, whitelist the self-signed cert in my browser, and then visit the Che dashboard, everything is fine. But if I hit the Che dashboard first, I hit the error.

Che version

• latest
• nightly
• other: please specify

Steps to reproduce

1. Install Che and set tlsSupport: true and selfSignedCert: true in the CheCluster resource
2. Try to access the Che dashboard
3. You will hit an error saying: Authorization token is missing

Expected behavior

Runtime

• kubernetes (include output of kubectl version)
• Openshift (include output of oc version)
• minikube (include output of minikube version and kubectl version)
• minishift (include output of minishift version and oc version)
• docker-desktop + K8S (include output of docker version and kubectl version)
• other: (please specify)

❯ oc version
Client Version: version.Info{Major:"4", Minor:"1+", GitVersion:"v4.1.14-201908291507+ec04ac2-dirty", GitCommit:"ec04ac2", GitTreeState:"dirty", BuildDate:"2019-08-29T23:30:52Z", GoVersion:"go1.11.13", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"14+", GitVersion:"v1.14.6+2e5ed54", GitCommit:"2e5ed54", GitTreeState:"clean", BuildDate:"2019-10-10T22:04:13Z", GoVersion:"go1.12.8", Compiler:"gc", Platform:"linux/amd64"}

Screenshots

Additional context

[tolusha]

/cc @sleshchenko

[sleshchenko]

@johnmcollier Hello, browser by default forbid request anything from hosts with self-signed-certificates, when you open Dashboard first - browser denies requesting keycloak host A.
When you open keycloak host directly, browser notifies you that self-signed-certificate is used and asks if you want to trust it. And you must add an exclusion for every host - Che, Keycloack, Plugin Registry, Devfile Registry, every Workspace host that is generated on every workspace start. The right way to do here - import self-signed-cert to your browser.

I see two improvements according to your question:

1. Dashboard should clearly say that self-signed-certificate issue is present instead of telling that token is missing Dashboard messages should be more accurate when self-signed cert issue happens #15298
2. Che Docs should contain an article with basic information about self-signed TLS mode for Che, and importing certificate into browser would be one of the steps [TLS] Document using self-signed TLS mode in Che #15301

cc @tolusha

@johnmcollier

How to get OpenShift certificate ca.crt 
- way 1
openssl s_client -showcerts -connect keycloak-che.my-domain.com:443 

- way 2
Read /etc/origin/master/ca.crt on master node.

- way 3
oc get secret router-ca -n openshift-ingress-operator -o jsonpath="{.data.tls\.crt}" | base64 -d

how to import self-signed certificate in chrome > https://stackoverflow.com/questions/7580508/getting-chrome-to-accept-self-signed-localhost-certificate?page=2&tab=Votes
The same info is easy to google for another browser.

[johnmcollier]

@sleshchenko Thanks! With #15298 and #15301 open, I'll close this issue out