Subscribe to the feed

If you work in a restricted network environment, you may encounter some problems when using the Red Hat Openshift command line to connect to a Red Hat cluster. One possible issue is a TLSHandshake error when you use the oc login command. This problem can occur with Kubernetes, as well. This blog discusses a few possible causes for the error, and how you can resolve it. 

My example applies to Red Hat OpenShift, but these tips also work when managing OKD, which is the upstream community version of Red Hat OpenShift.

The problem usually falls into one of two categories:

  • Proxy settings
  • Certificate corrupted/incorrect

Let's look at these categories in the following sections.

Check proxy settings

The first step is to check the proxy settings. If you cannot disable the proxy configuration, you can set no_proxy. Do this just for your OpenShift cluster URL by using the process below.

For a temporary fix/check, execute the following command in your terminal window: 

#> export no_proxy=OC_CLUSTER_URL

Where OC_CLUSTER_URL is the destination OpenShift cluster web site address.

For a permanent solution, add the following line to your ~/.bashrc  or ~/.bash_profile files:

export no_proxy=OC_CLUSTER_URL

Check for a corrupted certificate

If the issue is not with the proxy, the problem is likely with a certificate. Start by logging in to the OpenShift web console URL. Next, select your user name in the top right corner, and then select the Copy Login option. Log in using that credential instead of the default command. For example:

#> oc login OPENSHIFT_CLUSTER_URL

Additional suggestions

If configuring the proxy or updating the certificate did not work, here are some additional troubleshooting steps to try:

1. Increase the log level output on OpenShift authentication to gather more information. Run the following command:

#> oc login OPENSHIFT_CLUSTER_URL --loglevel=9

2. Run oc version to check the OpenShift version.

3. Run oc config view to display the current certificate.

I will discuss the certificate information next.

Display the certificate

You can follow the steps below to generate the current certificate by using a TLS/SSL certificate management tool like OpenSSL. There are other certificate management tools available, as well.

1. Run the following command:

#> openssl s_client -connect OPENSHIFT_CLUSTER_URL:OPENSHIFT_CLUSTER_PORT

Where OPENSHIFT_CLUSTER_URL is the OpenShift cluster. Use the following format: https://OPENSHIFT_ADDRESS.com and OPENSHIFT_CLUSTER_PORT is the port exposed through OpenShift.

2. Once the certificate is generated, you can pass the parameter:

#> oc login: --certificate-authority=extracted-certificate-file-path

Where extracted-certificate-path is the path to the downloaded certificate (e.g. ./downloaded.cert).

Wrap up

In this article, I examined some of the common causes of TLSHandshake errors when accessing an OpenShift cluster through the OpenShift command line. I also demonstrated some ways resolve it. As you continue on your OpenShift system administrator journey, it will be useful to be aware of the different challenges that you may encounter. Be sure to check out other articles in this blog site to continue to improve your system administrator skills.

[ Start using containers for free with OpenShift. ]


About the author

Bryant Jimin Son is a Consultant at Red Hat, a technology company known for its Linux server and opensource contributions. At work, he is working on building the technology for clients leveraging the Red Hat technology stacks like BPM, PAM, Openshift, Ansible, and full stack development using Java, Spring Framework, AngularJS, Material design. Prior to joining Red Hat, Bryant was at Citi Group's Citi Cloud team, building the private Infrastructure as a Service (IaaS) cloud platform serving 8,000+ teams across Citi departments. He also worked at American Airlines, IBM, and Home Depot Austin Technology Center. Bryant graduated with Bachelor of Sciences in Computer Science and Aerospace Engineering with minor concentration in Business at University of Texas at Austin.

He is also the President and Founder of Korean American IT Association group, known as KAITA (www.kaita.org). He is an avid coder spending extra time on building side projects at cafes, and he travels every week on business. He also loves to work out daily and to grow KAITA.

Read full bio
UI_Icon-Red_Hat-Close-A-Black-RGB

Browse by channel

automation icon

Automation

The latest on IT automation for tech, teams, and environments

AI icon

Artificial intelligence

Updates on the platforms that free customers to run AI workloads anywhere

open hybrid cloud icon

Open hybrid cloud

Explore how we build a more flexible future with hybrid cloud

security icon

Security

The latest on how we reduce risks across environments and technologies

edge icon

Edge computing

Updates on the platforms that simplify operations at the edge

Infrastructure icon

Infrastructure

The latest on the world’s leading enterprise Linux platform

application development icon

Applications

Inside our solutions to the toughest application challenges

Original series icon

Original shows

Entertaining stories from the makers and leaders in enterprise tech