Cannot access consoles that use shared certificates

You might find that you cannot access your your product console or application console when you share certificates between icp-console and icp-proxy routes.

Causes

icp-console and icp-proxy routes share the same OpenShift Container Platform router application domain, for example, app.ocp.ibm.com. If you configure wildcard certificates to include *.app.ocp.ibm.com for both OpenShift Container Platform routes, the browser assumes that the connections are to the same server and attempts to reuse the existing connection. However, icp-console and icp-proxy routes point to different servers. Sharing the wildcard certificates results in the following error from the browser.

default http backend, application requested not found

Resolving the problem

1. Disable http2 in NGINX ingress.

    oc -n kube-system edit configmap nginx-ingress-controller
   

   Add option, use-http2: false to the configuration file. Delete the nginx-ingress-controller pods to restart them.

2. Use a different certificate for the application that is proxied by NGINX ingress. You can set a different certificate CN for your application.