Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PreferredChain behaviour for letsEncrypt certificates after february 8 #6757

Closed
germanmichelena-dia opened this issue Feb 14, 2024 · 3 comments · Fixed by #6755
Closed

PreferredChain behaviour for letsEncrypt certificates after february 8 #6757

germanmichelena-dia opened this issue Feb 14, 2024 · 3 comments · Fixed by #6755
Milestone
1.15

Comments

@germanmichelena-dia
Copy link

germanmichelena-dia commented Feb 14, 2024
edited

On 11/02/2024 some letsencrypt certificates where updated in our cluster, and they were generated with the old certificate chain (signed by DST Root CA X3). We had configured as preferredChain in the clusterissuer "ISRG Root X1". It seems that after letsencrypt change in the default chain provided, the preferredChain configuration is not working properly.

https://community.letsencrypt.org/t/shortening-the-lets-encrypt-chain-of-trust/201580

To solve this, we removed the preferredChain configuration in the clusterissuer, and the certificate provided by letsencrypt was the right one (signed by ISRG Root X1). Is anyone else having this issue?

Our cert-manager version is 1.12.3
@germanmichelena-dia germanmichelena-dia changed the title preferredChain behaviour for letsEncrypt certificates after february 8 PreferredChain behaviour for letsEncrypt certificates after february 8 Feb 14, 2024
@wallrj wallrj linked a pull request Feb 14, 2024 that will close this issue
bugfix: wrong certificate chain is used if preferredChain is configured #6755
Merged
@inteon
Copy link
Member

inteon commented Feb 14, 2024

See #6755 (comment) for our current plan of action.
PTAL and let us know what you think @germanmichelena-dia

@germanmichelena-dia
Copy link
Author

Thanks for the quick answer, I agree with the solution

@wallrj
Copy link
Member

wallrj commented Feb 16, 2024

Let's leave this open and pin it so that users can read more about it, until until we implement the solution:

@wallrj wallrj reopened this Feb 16, 2024
@wallrj wallrj pinned this issue Feb 16, 2024
@wallrj wallrj added this to the 1.15 milestone Feb 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.15
Development

Successfully merging a pull request may close this issue.

bugfix: wrong certificate chain is used if preferredChain is configured import-shiburin/cert-manager
3 participants
@wallrj @inteon @germanmichelena-dia