Operator gets "400: Invalid SNI" when accessing Ords

Question

Operator gets "400: Invalid SNI" when accessing Ords

rbaumgar opened this issue 3 months ago · 4 comments

documentation who to create certificates is incomplete
https://github.com/oracle/oracle-database-operator/blob/main/docs/multitenant/README.md#secrets-for-certificates

operator uses the URL following URL to access ORDS: -ords., e.g. cdb-dev-ords.oracle

that results extfile.txt should be created like the following example. www.example.com is complete useless.

echo "subjectAltName=DNS:cdb-dev-ords,DNS:cdb-dev-ords.oracle" > extfile.txt

Answer 1 · 2024-09-30T12:43:40.000Z

Makefile with correct example has been changed few months ago please let us know if your problem still exists

197         $(OPENSSL) req -newkey rsa:2048 -nodes -keyout $(SKEY) -subj "/C=US/ST=California/L=SanFrancisco/O=$(COMPANY) /CN=$(RESTPREFIX)-$(REST_SERVER).$(C    DB_NAMESPACE) /CN=$(LOCALHOST)" -out server.csr
198         $(ECHO) "subjectAltName=DNS:$(RESTPREFIX)-$(REST_SERVER).$(CDB_NAMESPACE),DNS:www.example.com" > extfile.txt
199         $(OPENSSL) x509 -req -extfile extfile.txt -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out $(SCRT)

Answer 2 · 2024-09-30T14:55:50.000Z

why is www.example.com defined? This is definitely not required here. Or please explain this, I thought this should be used in an enterprise environment.

Answer 3 · 2024-09-30T15:21:59.000Z

Thank you we are going to remove the example as well please let us know if you are still facing problem 400 SNI

Answer 4 · 2024-10-01T05:51:26.000Z

I faceced the 400 SNI error again, when I exposed the ORDS service externally, than I had to create an entry with the external name.

e.g.
echo "subjectAltName=DNS:-ords,DNS:-ords.,DNS:cdb-dev-ords-." > extfile.txt