-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ca.crt to TLS secret generated by ACME issuers #1571
Comments
ca.crt
to TLS secret generated by ACME issuers
If this is something we are able to obtain from the ACME server (and it sounds like that is possible), then a +1 from me on this! 😄 If anyone is interested in putting together a PR for this, it'd be greatly appreciated 😄 it may require some changes to our ACME client to expose enough information for us to determine what to use. We'll also need to somehow 'passback' this information via the Order resource. Perhaps having a new field, |
Hi I'm not sure if this is related to an issue we're experiencing but would welcome some insight. We've implemented a ACME Issuer which has created a certificate which all checks out using SSL Server Test at SSL Labs. We can connect with SSL for browser connections etc. The issue we're having is when trying a connection with node (specifically Realm.io Data Adapter) we're getting a "The server certificate was not signed by any root certificate" "Verify return code: 21 (unable to verify the first certificate)". We're new to kubernetes / ingess SSL but doing some reading this seems to be an issue with the ca.crt?.. is this correct?.. On checking the secret we do have a 'null' ca.crt. Are you able to advise on what the issue is / how to resolve?.. Thanks |
If the OP means the root certificate and not an intermediate it isn't possible. ACME makes no provisions for communicating roots: these are meant to be present on the relying party systems out of band.
Note that |
Sorry for the late follow-up on this but @cpu is totally right. The Closing as the intermediate certs are already provided and root certs cannot be retrieved according to the standard. |
I respectfully disagree with the conclusion of this issue. It's well understood that the ACME spec itself does not explicitly support the retrieval of an issuer's root CA certificate. However the Clearly the issuing intermediate can be derived [1] [2]. But these tricks represent an operational burden. Cert-manager could at least optionally support automatic population of the In my opinion the most important benefit of populating Please consider re-opening this issue, or if it is more appropriate to create a new issue, I'm happy to do that. |
For what it's worth having an empty |
Also, not un-related, the empty field that ends up in the k8s secret |
Also related, using istio (1.4.2) with cert-manager and ingress-sds will not work due to the missing ca.crt with the following log line:
|
Also related, using opendistro-es does not work with cert-manager le certs as it expects the cert, key and ca to all exist under a single secret. It is also not possible to use for example /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem as it expects the ca file to exist within its config path. If the LE ca itself can not be included could not a copy of normal OS level ca bundles not be includable perhaps via a flag? Or even just a flag so we can manually set the ca.crt contents and cert-manager will include this in the secret as ca.crt |
+1 here. We can't use our cert-manager ACME Issuer with Couchbase Autonomous Operator. The DAC need a secret containing a ca.crt. And for security reasons, storing our private key in a k8s secret for a CA Issuer is not an option. Please consider reopening this issue. |
This isn't something that is going to be resolved in cert-manager for the reasons already discussed above - if you are looking for a project/controller to help with CA certificate/trust distribution, take a look at cert-manager/trust instead 😄 |
@munnerz I'm a little late to the party, but as the problem still persists: While cert-manager/trust seems neat, it's not the solution to the problem described here (as shown by the reactions to your last comment). The problem with ACME certificates is that the resulting secrets don't meet the expectation of many applications that So what's being asked for, if I understand people correctly, is just some way to have cert-manager split the tls.crt into tls.crt and ca.crt for me, so I can immediately use the certificate. I could imagine this as a flag on the issuer. |
+1 on open this for more discussion. The biggest problem is a lot of software assumes a secret contains |
Facing the same issue now with opensearch. Sounds ridicoulous annoying to me :-( We can now either create a secret syncer, which will take the secret and add ca.crt or patch it into certmanager. I have no clue why this problem is so common but still no real solution is provided. |
@pschichtel If you are using a Let's Encrypt certificate for your openldap server, try configuring openldap to use the Let's Encrypt root cert that is included in the container image: LDAP_TLS_CA_FILE: /etc/ssl/certs/ISRG_Root_X1.pem # CA file
# OR
LDAP_TLS_CA_FILE: /etc/ssl/certs/ca-certificates.crt # CA bundle
I can't tell how openldap uses that CA certificate / bundle. The documentation suggests that it is used to verify the signatures of client TLS certificates:
But that seems inappropriate when the certificate is issued by Let's Encrypt, since it would allow any client with a Let's Encrypt signed client certificate to connect to the server. |
Was just researching this issue and came across this discussion thread. "The server uses the CA certificate to verify its clients, and we must use the key ca.crt to hold the CA certificate." I am using cert-manager along with istio-csr to issue certificates within istio using internal ACME services. Theoretically it could be solved by introducing some additional field/flag in cert-manager's "Certificate" resource (https://cert-manager.io/docs/concepts/certificate/), to manually provide contents of ca.crt that will be included in secret with certificate but it seems much cleaner and easier to include it as it was discussed above. |
ha, just after posting I realized that what I am asking about is already in progress and was linked above... cross linked it to here. |
@michal-rybinski The Istio Gateway API docs say:
So can you create a separate Secret called Afterall, the client certificates need not (should not?) be signed by the same CA as signed the Gateway server certificate. |
/reopen Because I think the documentation should at least explain why the ACME issuer doesn't (won't?) create ca.crt file and explain what the preferred alternatives are. |
@wallrj: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Huh... I cannot believe I missed that.... thank you very much for pointing that out! I'll give it a go and test. But, regarding the problem this issue is about, I suppose good docs around the reasoning behind absence of such option would be something that would prevent such requests in the future. |
Hi there. I am issuing the same problem with oci native ingress controller (oracle K8s engine - oke). Load balancer expect ca.crt in TLS secret. So the process fails an none tls listener is configured. |
I am also facing the same problem with securityAdmin in opensearch deployment where it won't work because of missing ca.crt file in the secret which that job uses. |
I'm having same problem with emqx cluster, to enable ssl/tls feature we need ca.crt field |
having the same issue with bank vault :( |
Any updates? I'm encountering the same issue with RabbitMQ: |
Btw, you can use letsencrypt like the following:
and in the rabbitMQ to set the following block:
existingSecretFullChain: Existing secret with certificate content be mounted instead of the ca.crt coming from caCertificate or existingSecret/existingSecretFullChain. |
I also think it would be nice to have this behavior implemented. I'm trying to configure mTLS between an |
Is your feature request related to a problem? Please describe.
The
ca.crt
field is added to the TLS secret generated by CA issuers, but is null for ACME issuers.Describe the solution you'd like
The Issuer uses the Link header returned by the ACME protocol as defined by the ACME standard to fetch the issuer's cert and places it inside the TLS secret under the
ca.crt
key.ACME standard
The
Link
header is mentioned inSection 6.5 Certificate Issuance
of the ACME standard draft. Refer to the last paragraph on page 30 here: https://tools.ietf.org/html/draft-ietf-acme-acme-02Environment details (if applicable):
/kind feature
The text was updated successfully, but these errors were encountered: