crypto/x509: verification fails with "cannot parse dnsName" in intermediate

[trunet]

Loading an intermediate certificate, is generating this error:

E0226 11:51:47.736103       7 config.go:330] Expected to load root CA config from /var/run/secrets/kubernetes.io/serviceaccount/ca.crt, but got err: error reading /var/run/secrets/kubernetes.io/serviceaccount/ca.crt: x509: cannot parse dnsName "Trunet.co AMS Kubernetes Intermediate CA"

My intermediate CA generated by hashicorp vault, contains:

X509v3 Basic Constraints: critical
    CA:TRUE
X509v3 Subject Alternative Name: 
    DNS:Trunet.co AMS Kubernetes Intermediate CA

This will probably be fixed on golang/go#23995

[sttts]

So this is no client-go error, but Go?

[trunet]

This is an error happening on ingress-nginx, that uses and calls client-go functions, that uses x509 go library. That should be fixed upstream, but if not, we could implement a workaround here (not saying that we should, at least discuss the problem).

On golang/go#23995 (comment), they're asking for thumbs up if this affects you.

[ericchiang]

"Trunet.co AMS Kubernetes Intermediate CA" doesn't look like a DNS name. Why would you want that value as a SANs DNS?

It sounds like this is getting fixed in 1.10.1. Since you can work around this today by making your DNS values look like actual DNS values, I don't think we should provide an external work around.

[trunet]

from: golang/go#23995 (comment)

This will affect all CA certs that have been generated by HashiCorp Vault 0.9.3 or earlier. Those versions always put the CN also into the DNS alt names, without checking if it actually is a DNS name. hashicorp/vault#3953 fixed that in anticipation of the change in Go.

Relaxing the verification for CA certs would greatly reduce pain for Vault operators because they wouldn't have to re-issue all of their cert chains.

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale

[fejta-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close