You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Our organization is a current user of Venafi and we are attempting to implement cert-manager for our new DevSecOps pipeline. When we install and configure cert-manager we get an error from the first handshake with the Venafi server. The error on the Issuer creation is "local error: tls: no renegotiation".
We are on a large private network in an enterprise and my team has limited ability to affect a configuration change on the Venafi server. We believe it is running behind an IIS server.
Golang supports setting the TLS Configuration on the http.client to allow renegotiation. We were hoping that the cert-manager implementation could offer a command line flag or something to enable the feature.
If there is not a way to enable this could you please suggest a workaround that may be implemented at the cert-manager level?
We first opened this issue on the cert-manager repo but since they use the vcert libraries to create the http client object, they suggested opening the issue here.
Best regards,
John
The text was updated successfully, but these errors were encountered:
@johnmarx-la this issue is usually due to a Trust Protection Platform misconfiguration, having client certificate authentication enabled for the "VEDSDK" web application in IIS. So that will be your quickest path to resolution (i.e. SSL Settings > Client certificates: Ignore). I don't believe there are any workarounds that can be implemented on the cert-manager side without code changes (i.e. updating the http.DefaultTransport TLSClientConfig to enable tls.RenegotiateOnceAsClient). We've been hesitant to make that change at the VCert client level as it would have some negative impact on performance and it shouldn't be necessary because there's really no reason to have client certificate authentication enabled for "VEDSDK" but we will take another look at the VCert client.
For anyone hitting this issue while using cert-manager, please read cert-manager/cert-manager#3544 (comment) in which I described the two possible cases in which you might encounter local error: tls: no renegotiation, and the remediation actions you can take.
Our organization is a current user of Venafi and we are attempting to implement cert-manager for our new DevSecOps pipeline. When we install and configure cert-manager we get an error from the first handshake with the Venafi server. The error on the Issuer creation is "local error: tls: no renegotiation".
We are on a large private network in an enterprise and my team has limited ability to affect a configuration change on the Venafi server. We believe it is running behind an IIS server.
Golang supports setting the TLS Configuration on the http.client to allow renegotiation. We were hoping that the cert-manager implementation could offer a command line flag or something to enable the feature.
An example of the golang code is:
If there is not a way to enable this could you please suggest a workaround that may be implemented at the cert-manager level?
We first opened this issue on the cert-manager repo but since they use the vcert libraries to create the http client object, they suggested opening the issue here.
Best regards,
John
The text was updated successfully, but these errors were encountered: