Let's say an app running in one of your pods on OpenShift is logging events like this.

2024/01/23 02:46:09 server.go:2926: http: TLS handshake error from 10.11.12.13:43722: remote error: tls: bad certificate

This means the SSL handshake between the app running in your OpenShift pods is unable to establish a secured connection with some other system due to some issue with the SSL certificate being used in the connection.

The oc get pods command with the --output wide option can be used to list the your pods including the IP address in the output. Notice the error message has IP address 10.11.12.13 in this example. With the --output wide option, we can identify the source pod and destination pod. For example, if pod foo-9mzm2 is logging the TLS handshake error with IP 10.11.12.13, then we know the pod foo-9mzm2 is unable to established the SSL connection to pod bar-pflxc since pod bar-pflxc is the pod that has IP 10.11.12.13.

~]# oc get pods --output wide
NAME         READY   STATUS     RESTARTS  AGE  IP            NODE          NOMINATED MODE
foo-9mzm2    1/1     Running    0         8d   10.11.12.11   worker-hsjrp  <none>
foo-vmzmz    1/1     Running    0         8d   10.11.12.12   worker-v8r9r  <none>
bar-pflxc    1/1     Running    0         8d   10.11.12.13   worker-ab9df  <none>

The oc get pods command with the --output yaml option can be used to display the YAML of the source and destination pods which may return something like this. In this example, the TLS secret named foo-secret is being used.

~]$ oc get pod foo-9mzm2 --output yaml
spec:
  containers:
  - args:
    - -openshift-ca=/etc/pki/tls/cert.pem
    - -openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
    - -tls-cert=/etc/tls/private/tls.crt
    - -tls-key=/etc/tls/private/tls.key

    volumeMounts:
    - mountPath: /etc/tls/private
      name: foo-tls

  volumes:
  - name: foo-tls
    secret:
      defaultMode: 420
      secretName: foo-tls

  - name: kube-api-access-7f8qf
    projected:
      defaultMode: 420
      sources:
      - configMap:
          items:
          - key: ca.crt
            path: ca.crt
          name: kube-root-ca.crt
      - configMap:
          items:
          - key: service-ca.crt
            path: service-ca.crt
          name: openshift-service-ca.crt

The oc get secret and base64 and openssl commands can be used to view the content of the SSL certificate in the secret.

~]$ oc get secrets foo-tls --output jsonpath='{.data.tls\.crt}' | base64 --decode | openssl x509 -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1234567891234567890 (0x1a2b3c4d5e6f7g8h)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=openshift-service-serving-signer@1602707828
        Validity
            Not Before: Jan 12 20:43:07 2024 GMT
            Not After : Mar 12 20:43:08 2026 GMT
        Subject: CN=openshift-service-serving-signer@1602707828
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption