Troubleshooting
Problem
When you use an HTTP/2 enabled Red Hat OpenShift (OCP) cluster, HTTP 503 errors can be seen when you log in to the Cloud Pak interfaces. More specifically, the 503 error occurs when the OCP router redirects from a reencrypt route like cp-console to a pass-through route like cpd route or oauth-openshift route.
Cause
When you use HTTP/2 protocol, it shares the connection among multiple http requests when certain conditions are met. When the initial connection is made to a reencrypt route, the OCP router interface handling this connection is not aware of the pass-through routes. So when a redirect occurs from a reencrypt route to a pass-through route, the OCP router responds with a HTTP 503.
This connection sharing with routes would occur when the same certificates are used for all the routes like the usage of a single wildcard certificate.
Diagnosing The Problem
Enabling HTTP/2 Ingress connectivity provides details on how to enable HTTP/2.
You can check the follow to see whether it is enabled in either place mentioned in the documentation:
oc get ingresses.config/cluster -oyaml
oc get ingresscontrollers -A -oyaml
You can check the follow to see whether it is enabled in either place mentioned in the documentation:
oc get ingresses.config/cluster -oyaml
oc get ingresscontrollers -A -oyaml
oc get routes can be used to gather details about the routes.
Resolving The Problem
When you use the default certificates or a common wildcard certificate for your routes, it is recommended to keep HTTP/2 disabled. By default, OCP has HTTP/2 disabled. If you want to remove HTTP/2 after you enabled it, then you can remove the annotations mentioned in Enabling HTTP/2 Ingress connectivity.
Note: You might not see the issue when you use Cloud Paks with the default-generated certificates although the OCP documentation does warn against this use case.
Otherwise, you need to ensure all your routes are using custom unique certificates as mentioned in the enablement documentation.
"To enable the use of HTTP/2 for the connection from the client to HAProxy, a route must specify a custom certificate. A route that uses the default certificate cannot use HTTP/2. This restriction is necessary to avoid problems from connection coalescing, where the client reuses a connection for different routes that use the same certificate."
Note: You might not see the issue when you use Cloud Paks with the default-generated certificates although the OCP documentation does warn against this use case.
Otherwise, you need to ensure all your routes are using custom unique certificates as mentioned in the enablement documentation.
"To enable the use of HTTP/2 for the connection from the client to HAProxy, a route must specify a custom certificate. A route that uses the default certificate cannot use HTTP/2. This restriction is necessary to avoid problems from connection coalescing, where the client reuses a connection for different routes that use the same certificate."
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBYVB","label":"IBM Cloud Pak for Business Automation"},"ARM Category":[{"code":"a8m3p000000LPMtAAO","label":"Other-\u003ECloudPak4Automation Platform-\u003EOpenshift"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
19 August 2022
UID
ibm16611099