linkerd-proxy UnknownIssuer for certificates with EC P-521

[yarinm]

Bug Report

I've tried to make linkerd use certificates that are generated with EC P-521 instead of P-256 and I get this error from linkerd-proxy

ERR! [   170.832625s] linkerd2_proxy_identity::certify Received invalid ceritficate: invalid certificate: UnknownIssuer

I've used the following commands to generate the CA and Issuer:

step certificate create identity.linkerd.cluster.local ca.crt ca.key --profile root-ca --no-password --insecure --curve P-521 --kty EC

step certificate create identity.linkerd.cluster.local issuer.crt issuer.key --ca ca.crt --ca-key ca.key --profile intermediate-ca --not-after 8760h --no-password --insecure  --curve P-521 --kty EC

What am I missing here?

And installed linkerd using the following:

helm upgrade linkerd  . --set-file Identity.TrustAnchorsPEM=ca.crt  --set InstallNamespace=false --set-file Identity.Issuer.TLS.CrtPEM=issuer.crt --set-file Identity.Issuer.TLS.KeyPEM=issuer.key --set Identity.Issuer.CrtExpiry=2020-11-25T09:49:30 --install

How can it be reproduced?

Using the commands described above

Logs, error output, etc

(If the output is long, please create a gist and
paste the link here.)

linkerd check output

kubernetes-api
--------------
√ can initialize the client
√ can query the Kubernetes API

kubernetes-version
------------------
√ is running the minimum Kubernetes API version
√ is running the minimum kubectl version

linkerd-config
--------------
√ control plane Namespace exists
√ control plane ClusterRoles exist
√ control plane ClusterRoleBindings exist
√ control plane ServiceAccounts exist
√ control plane CustomResourceDefinitions exist
√ control plane MutatingWebhookConfigurations exist
√ control plane ValidatingWebhookConfigurations exist
√ control plane PodSecurityPolicies exist

linkerd-existence
-----------------
√ 'linkerd-config' config map exists
√ heartbeat ServiceAccount exist
√ control plane replica sets are ready
√ no unschedulable pods
√ controller pod is running
√ can initialize the client
√ can query the control plane API

linkerd-api
-----------
| pod/linkerd-controller-8496f79d56-sq89v container linkerd-proxy is not ready <-- stuck on this

Environment

• Kubernetes Version: 1.13.11
• Cluster Environment: (GKE, AKS, kops, ...) AKS
• Host OS: Ubuntu 16
• Linkerd version: edge-19.9.2

[zaharidichev]

@yarinm Can you verify that it works if your certs are not EC P-521 ? Also, what namespace is linkerd installed in ?

[yarinm]

@zaharidichev The defaults in the tutorial is EC P-256 and that works well, I've also created the certificates using HashiCorp vault and I got the same results (P521 fails and P256 works)

It's installed in the linkerd namespace

[grampelberg]

We unfortunately only support one type of certificate currently. We'd love help updating the support to more certificate types. In the mean time we're working at getting the tooling to inspect and verify that the certs are valid for use by us.

[yarinm]

@grampelberg is this documented somewhere? I didn't any mention about that. Please add documentation about this constraint (or better logging) because I spent too much time investigating this...

[grampelberg]

Not yet! We're in the middle of adding a bunch of great docs and tooling to improve this experience.