Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Venafi Issuer error when configuring cert-manager. "local error: tls: no renegotiation" #148

Closed
johnmarx-la opened this issue Jan 6, 2021 · 2 comments
Closed

Venafi Issuer error when configuring cert-manager. "local error: tls: no renegotiation" #148

johnmarx-la opened this issue Jan 6, 2021 · 2 comments
Labels
question Further information is requested

Comments

@johnmarx-la
Copy link

johnmarx-la commented Jan 6, 2021
edited
Loading

Our organization is a current user of Venafi and we are attempting to implement cert-manager for our new DevSecOps pipeline. When we install and configure cert-manager we get an error from the first handshake with the Venafi server. The error on the Issuer creation is "local error: tls: no renegotiation".

We are on a large private network in an enterprise and my team has limited ability to affect a configuration change on the Venafi server. We believe it is running behind an IIS server.

Golang supports setting the TLS Configuration on the http.client to allow renegotiation. We were hoping that the cert-manager implementation could offer a command line flag or something to enable the feature.

An example of the golang code is:

client := &http.Client{
           Transport: &http.Transport{
                         TLSClientConfig: &tls.Config{
                                        RootCAs: caCertPool,
                                        Renegotiation: tls.RenegotiateOnceAsClient,
                          },
             },
}
req, err := http.NewRequest(...

If there is not a way to enable this could you please suggest a workaround that may be implemented at the cert-manager level?

We first opened this issue on the cert-manager repo but since they use the vcert libraries to create the http client object, they suggested opening the issue here.

Best regards,
John
@tomcruise81 tomcruise81 mentioned this issue Jan 6, 2021
Closed
@tr1ck3r
Copy link
Member

tr1ck3r commented Jan 6, 2021

@johnmarx-la this issue is usually due to a Trust Protection Platform misconfiguration, having client certificate authentication enabled for the "VEDSDK" web application in IIS. So that will be your quickest path to resolution (i.e. SSL Settings > Client certificates: Ignore). I don't believe there are any workarounds that can be implemented on the cert-manager side without code changes (i.e. updating the http.DefaultTransport TLSClientConfig to enable tls.RenegotiateOnceAsClient). We've been hesitant to make that change at the VCert client level as it would have some negative impact on performance and it shouldn't be necessary because there's really no reason to have client certificate authentication enabled for "VEDSDK" but we will take another look at the VCert client.

@tr1ck3r tr1ck3r added the investigating Research is needed label Jan 6, 2021
@maelvls
Copy link
Contributor

maelvls commented Aug 6, 2021
edited
Loading

For anyone hitting this issue while using cert-manager, please read cert-manager/cert-manager#3544 (comment) in which I described the two possible cases in which you might encounter local error: tls: no renegotiation, and the remediation actions you can take.

@tr1ck3r tr1ck3r added question Further information is requested and removed investigating Research is needed labels Apr 1, 2022
@tr1ck3r tr1ck3r closed this as completed Apr 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@maelvls @tr1ck3r @johnmarx-la