Troubleshooting handshake errors in OpenShift

If you work in a restricted network environment, you may encounter some problems when using the Red Hat Openshift command line to connect to a Red Hat cluster. One possible issue is a TLSHandshake error when you use the oc login command. This problem can occur with Kubernetes, as well. This blog discusses a few possible causes for the error, and how you can resolve it. 

My example applies to Red Hat OpenShift, but these tips also work when managing OKD, which is the upstream community version of Red Hat OpenShift.

The problem usually falls into one of two categories:

• Proxy settings
• Certificate corrupted/incorrect

Let's look at these categories in the following sections.

Check proxy settings

The first step is to check the proxy settings. If you cannot disable the proxy configuration, you can set no_proxy. Do this just for your OpenShift cluster URL by using the process below.

For a temporary fix/check, execute the following command in your terminal window: 

#> export no_proxy=OC_CLUSTER_URL

Where OC_CLUSTER_URL is the destination OpenShift cluster web site address.

For a permanent solution, add the following line to your ~/.bashrc  or ~/.bash_profile files:

export no_proxy=OC_CLUSTER_URL

Check for a corrupted certificate

If the issue is not with the proxy, the problem is likely with a certificate. Start by logging in to the OpenShift web console URL. Next, select your user name in the top right corner, and then select the Copy Login option. Log in using that credential instead of the default command. For example:

#> oc login OPENSHIFT_CLUSTER_URL

Additional suggestions

If configuring the proxy or updating the certificate did not work, here are some additional troubleshooting steps to try:

1. Increase the log level output on OpenShift authentication to gather more information. Run the following command:

#> oc login OPENSHIFT_CLUSTER_URL --loglevel=9

2. Run oc version to check the OpenShift version.

3. Run oc config view to display the current certificate.

I will discuss the certificate information next.

Display the certificate

You can follow the steps below to generate the current certificate by using a TLS/SSL certificate management tool like OpenSSL. There are other certificate management tools available, as well.

1. Run the following command:

#> openssl s_client -connect OPENSHIFT_CLUSTER_URL:OPENSHIFT_CLUSTER_PORT

Where OPENSHIFT_CLUSTER_URL is the OpenShift cluster. Use the following format: https://OPENSHIFT_ADDRESS.com and OPENSHIFT_CLUSTER_PORT is the port exposed through OpenShift.

2. Once the certificate is generated, you can pass the parameter:

#> oc login: --certificate-authority=extracted-certificate-file-path

Where extracted-certificate-path is the path to the downloaded certificate (e.g. ./downloaded.cert).

Wrap up

In this article, I examined some of the common causes of TLSHandshake errors when accessing an OpenShift cluster through the OpenShift command line. I also demonstrated some ways resolve it. As you continue on your OpenShift system administrator journey, it will be useful to be aware of the different challenges that you may encounter. Be sure to check out other articles in this blog site to continue to improve your system administrator skills.

[ Start using containers for free with OpenShift. ]