Route not updating with TLS information

[awood]

After getting the certificate via ACME, I'm seeing some errors when openshift-acme tries to update the route configuration.

I0316 20:13:18.882025   1 route.go:385] Started syncing Route "candlepin/external" (2018-03-16 20:13:18.882011441 +0000 UTC m=+635.609929176)                                                    
I0316 20:13:18.999077   1 route.go:483] Route "candlepin/external": authorization state is "valid"                                                                                           
I0316 20:13:18.999101   1 route.go:515] Authorization "https://acme-staging.api.letsencrypt.org/acme/authz/[...]" for Route candlepin/external successfully validated                                                                                                                                                                                           
I0316 20:13:33.905383   1 route.go:539] Route "candlepin/external" - created certificate available at https://acme-staging.api.letsencrypt.org/acme/cert/[...]    
I0316 20:13:33.917429   1 route.go:387] Finished syncing Route "candlepin/external" (15.035409245s)                                                                                              
I0316 20:13:33.917513   1 route.go:716] Error syncing Route candlepin/external: failed to update route candlepin/external with new certificates: Route "external" is invalid: spec.tls: Invalid val
ue: route.TLSConfig{...}: field is immutable

I'm sure I've got something misconfigured, but I'm not sure what.

[tnozicka]

What OpenShift version do you have?

Do you have roles setup properly? I think this is the permission you need https://github.com/tnozicka/openshift-acme/blob/master/deploy/letsencrypt-live/cluster-wide/clusterrole.yaml#L25

Possibly you need OpenShift with this openshift/origin#18312 or raise it to update privilege.

[awood]

OpenShift Master:
    v3.7.23 (online version 3.6.0.90)
Kubernetes Master:
    v1.7.6+a08f5eeb62 

I'm doing the single-namespace deployment.

Looks like I'm getting bitten by that bug you're referencing. In the comment thread for that issue it looks like the fix has gone out in 3.7 but I find the version listing for OpenShift Master I posted above somewhat confusing since it references two different versions. Am I on 3.7.x or 3.6.x I wonder.

It looks like this is not an issue in openshift-acme at all so I'm going to close this. Any hints or insight you might have would be much appreciated though.

[tnozicka]

I assume you are on paid OpenShift Online cluster where you can have custom domain (and set certificates).

Yes, it's slightly confusing; OpenShift version is v3.7.23 and you need >= 3.9.0 otherwise you won't be able to change the cert even manually. Good news is that the Starter (unpaid) cluster started to get 3.9 upgrade, so when the issues get resolved the usual pattern is to proceed to the paid ones.

[tnozicka]

Let us know if there are more issues once your cluster get's updated to 3.9 or even if it just works ;)