If you work in a restricted network environment, you may encounter some problems when using the Red Hat Openshift command line to connect to a Red Hat cluster. One possible issue is a TLSHandshake error when you use the oc login
command. This problem can occur with Kubernetes, as well. This blog discusses a few possible causes for the error, and how you can resolve it.
My example applies to Red Hat OpenShift, but these tips also work when managing OKD, which is the upstream community version of Red Hat OpenShift.
The problem usually falls into one of two categories:
- Proxy settings
- Certificate corrupted/incorrect
Let's look at these categories in the following sections.
Check proxy settings
The first step is to check the proxy settings. If you cannot disable the proxy configuration, you can set no_proxy.
Do this just for your OpenShift cluster URL by using the process below.
For a temporary fix/check, execute the following command in your terminal window:
#> export no_proxy=OC_CLUSTER_URL
Where OC_CLUSTER_URL is the destination OpenShift cluster web site address.
For a permanent solution, add the following line to your ~/.bashrc
or ~/.bash_profile
files:
export no_proxy=OC_CLUSTER_URL
Check for a corrupted certificate
If the issue is not with the proxy, the problem is likely with a certificate. Start by logging in to the OpenShift web console URL. Next, select your user name in the top right corner, and then select the Copy Login option. Log in using that credential instead of the default command. For example:
#> oc login OPENSHIFT_CLUSTER_URL
Additional suggestions
If configuring the proxy or updating the certificate did not work, here are some additional troubleshooting steps to try:
1. Increase the log level output on OpenShift authentication to gather more information. Run the following command:
#> oc login OPENSHIFT_CLUSTER_URL --loglevel=9
2. Run oc version
to check the OpenShift version.
3. Run oc config view
to display the current certificate.
I will discuss the certificate information next.
Display the certificate
You can follow the steps below to generate the current certificate by using a TLS/SSL certificate management tool like OpenSSL. There are other certificate management tools available, as well.
1. Run the following command:
#> openssl s_client -connect OPENSHIFT_CLUSTER_URL:OPENSHIFT_CLUSTER_PORT
Where OPENSHIFT_CLUSTER_URL is the OpenShift cluster. Use the following format: https://OPENSHIFT_ADDRESS.com and OPENSHIFT_CLUSTER_PORT is the port exposed through OpenShift.
2. Once the certificate is generated, you can pass the parameter:
#> oc login: --certificate-authority=extracted-certificate-file-path
Where extracted-certificate-path is the path to the downloaded certificate (e.g. ./downloaded.cert).
Wrap up
In this article, I examined some of the common causes of TLSHandshake errors when accessing an OpenShift cluster through the OpenShift command line. I also demonstrated some ways resolve it. As you continue on your OpenShift system administrator journey, it will be useful to be aware of the different challenges that you may encounter. Be sure to check out other articles in this blog site to continue to improve your system administrator skills.
[ Start using containers for free with OpenShift. ]
About the author
Bryant Jimin Son is a Consultant at Red Hat, a technology company known for its Linux server and opensource contributions. At work, he is working on building the technology for clients leveraging the Red Hat technology stacks like BPM, PAM, Openshift, Ansible, and full stack development using Java, Spring Framework, AngularJS, Material design. Prior to joining Red Hat, Bryant was at Citi Group's Citi Cloud team, building the private Infrastructure as a Service (IaaS) cloud platform serving 8,000+ teams across Citi departments. He also worked at American Airlines, IBM, and Home Depot Austin Technology Center. Bryant graduated with Bachelor of Sciences in Computer Science and Aerospace Engineering with minor concentration in Business at University of Texas at Austin.
He is also the President and Founder of Korean American IT Association group, known as KAITA (www.kaita.org). He is an avid coder spending extra time on building side projects at cafes, and he travels every week on business. He also loves to work out daily and to grow KAITA.
Browse by channel
Automation
The latest on IT automation for tech, teams, and environments
Artificial intelligence
Updates on the platforms that free customers to run AI workloads anywhere
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
The latest on how we reduce risks across environments and technologies
Edge computing
Updates on the platforms that simplify operations at the edge
Infrastructure
The latest on the world’s leading enterprise Linux platform
Applications
Inside our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Customer support
- Developer resources
- Find a partner
- Red Hat Ecosystem Catalog
- Red Hat value calculator
- Documentation
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit