cert-manager: csr key usages do not match specified usages, these should match if both are set: [[]certmanager.KeyUsage[3] != []certmanager.KeyUsage[4]]

Bugs should be filed for issues encountered whilst operating cert-manager. You should first attempt to resolve your issues through the community support channels, e.g. Slack, in order to rule out individual configuration errors. Please provide as much detail as possible.

Describe the bug: cert-manager does not want to issue certificate:

E0910 19:57:13.821238       1 controller.go:158] cert-manager/controller/CertificateRequestManager "msg"="re-queuing item  due to error processing" "error"="admission webhook \"webhook.cert-manager.io\" denied the request: spec.request: Invalid value: []byte{0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x42, 0x45, 0x47, 0x49, 0x4e, 0x20, 0x43, 0x45, 0x52, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x20, 0x52, 0x45, 0x51, 0x55, 0x45, 0x53, 0x54, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0xa, 0x4d, 0x49, 0x49, 0x43, 0x6e, 0x7a, 0x43, 0x43, 0x41, 0x59, 0x63, 0x43, 0x41, 0x51, 0x41, 0x77, 0x4d, 0x54, 0x45, 0x54, 0x4d, 0x42, 0x45, 0x47, 0x41, 0x31, 0x55, 0x45, 0x43, 0x68, 0x4d, 0x4b, 0x61, 0x33, 0x56, 0x69, 0x5a, 0x58, 0x4a, 0x75, 0x5a, 0x58, 0x52, 0x6c, 0x63, 0x7a, 0x45, 0x61, 0x4d, 0x42, 0x67, 0x47, 0x41, 0x31, 0x55, 0x45, 0x41, 0x78, 0x4d, 0x52, 0x61, 0x33, 0x56, 0x69, 0xa, 0x5a, 0x58, 0x4a, 0x75, 0x5a, 0x58, 0x52, 0x6c, 0x63, 0x79, 0x31, 0x77, 0x61, 0x32, 0x6b, 0x74, 0x59, 0x32, 0x45, 0x77, 0x67, 0x67, 0x45, 0x69, 0x4d, 0x41, 0x30, 0x47, 0x43, 0x53, 0x71, 0x47, 0x53, 0x49, 0x62, 0x33, 0x44, 0x51, 0x45, 0x42, 0x41, 0x51, 0x55, 0x41, 0x41, 0x34, 0x49, 0x42, 0x44, 0x77, 0x41, 0x77, 0x67, 0x67, 0x45, 0x4b, 0x41, 0x6f, 0x49, 0x42, 0x41, 0x51, 0x44, 0x52, 0xa, 0x50, 0x34, 0x61, 0x55, 0x66, 0x65, 0x67, 0x49, 0x52, 0x31, 0x41, 0x2b, 0x50, 0x6c, 0x39, 0x62, 0x65, 0x45, 0x79, 0x72, 0x4b, 0x6b, 0x49, 0x4d, 0x53, 0x68, 0x6e, 0x6b, 0x39, 0x6f, 0x67, 0x54, 0x75, 0x68, 0x2f, 0x4c, 0x49, 0x71, 0x4c, 0x53, 0x59, 0x35, 0x74, 0x6f, 0x73, 0x2b, 0x4b, 0x39, 0x6d, 0x44, 0x66, 0x38, 0x72, 0x6a, 0x4d, 0x46, 0x72, 0x73, 0x4a, 0x77, 0x30, 0x67, 0x48, 0x56, 0xa, 0x49, 0x2f, 0x68, 0x4c, 0x30, 0x46, 0x51, 0x6d, 0x2b, 0x50, 0x4d, 0x6a, 0x4f, 0x49, 0x34, 0x6c, 0x4f, 0x72, 0x39, 0x41, 0x53, 0x68, 0x41, 0x69, 0x68, 0x38, 0x43, 0x2f, 0x4e, 0x69, 0x34, 0x74, 0x35, 0x70, 0x55, 0x48, 0x78, 0x4e, 0x51, 0x35, 0x34, 0x48, 0x77, 0x79, 0x73, 0x6d, 0x77, 0x5a, 0x50, 0x73, 0x36, 0x54, 0x4c, 0x2b, 0x45, 0x66, 0x64, 0x79, 0x56, 0x55, 0x5a, 0x6c, 0x79, 0x76, 0xa, 0x72, 0x4a, 0x59, 0x48, 0x58, 0x49, 0x75, 0x61, 0x37, 0x67, 0x6e, 0x32, 0x57, 0x54, 0x38, 0x55, 0x68, 0x52, 0x2b, 0x6f, 0x31, 0x2f, 0x66, 0x4c, 0x2b, 0x69, 0x70, 0x36, 0x74, 0x44, 0x30, 0x30, 0x2b, 0x68, 0x43, 0x56, 0x72, 0x56, 0x52, 0x2b, 0x39, 0x49, 0x34, 0x58, 0x56, 0x66, 0x7a, 0x4e, 0x67, 0x59, 0x51, 0x47, 0x79, 0x68, 0x48, 0x45, 0x74, 0x30, 0x37, 0x33, 0x75, 0x43, 0x77, 0x44, 0xa, 0x7a, 0x44, 0x72, 0x63, 0x39, 0x45, 0x31, 0x5a, 0x74, 0x61, 0x6b, 0x56, 0x75, 0x74, 0x53, 0x6e, 0x6f, 0x45, 0x75, 0x73, 0x75, 0x47, 0x72, 0x4b, 0x35, 0x63, 0x4e, 0x50, 0x6a, 0x7a, 0x66, 0x58, 0x35, 0x74, 0x69, 0x6a, 0x32, 0x73, 0x43, 0x51, 0x50, 0x62, 0x61, 0x69, 0x37, 0x2b, 0x6a, 0x5a, 0x78, 0x31, 0x47, 0x75, 0x38, 0x74, 0x6a, 0x6a, 0x68, 0x62, 0x2b, 0x38, 0x56, 0x51, 0x2b, 0x4a, 0xa, 0x6f, 0x36, 0x6c, 0x45, 0x33, 0x4c, 0x2f, 0x6d, 0x46, 0x57, 0x59, 0x6c, 0x67, 0x7a, 0x53, 0x58, 0x61, 0x6e, 0x56, 0x56, 0x4a, 0x69, 0x74, 0x63, 0x49, 0x52, 0x79, 0x2b, 0x2b, 0x53, 0x50, 0x4a, 0x4d, 0x34, 0x65, 0x6f, 0x44, 0x61, 0x52, 0x4f, 0x56, 0x58, 0x4c, 0x49, 0x4f, 0x72, 0x4d, 0x47, 0x66, 0x75, 0x6d, 0x4c, 0x67, 0x56, 0x39, 0x6e, 0x6c, 0x32, 0x58, 0x69, 0x47, 0x57, 0x63, 0x2f, 0xa, 0x52, 0x46, 0x4b, 0x4a, 0x31, 0x57, 0x45, 0x48, 0x2b, 0x45, 0x6c, 0x53, 0x6b, 0x33, 0x59, 0x42, 0x4c, 0x5a, 0x47, 0x4e, 0x41, 0x67, 0x4d, 0x42, 0x41, 0x41, 0x47, 0x67, 0x4b, 0x54, 0x41, 0x6e, 0x42, 0x67, 0x6b, 0x71, 0x68, 0x6b, 0x69, 0x47, 0x39, 0x77, 0x30, 0x42, 0x43, 0x51, 0x34, 0x78, 0x47, 0x6a, 0x41, 0x59, 0x4d, 0x41, 0x73, 0x47, 0x41, 0x31, 0x55, 0x64, 0x44, 0x77, 0x51, 0x45, 0xa, 0x41, 0x77, 0x49, 0x43, 0x70, 0x44, 0x41, 0x4a, 0x42, 0x67, 0x4e, 0x56, 0x48, 0x53, 0x55, 0x45, 0x41, 0x6a, 0x41, 0x41, 0x4d, 0x41, 0x30, 0x47, 0x43, 0x53, 0x71, 0x47, 0x53, 0x49, 0x62, 0x33, 0x44, 0x51, 0x45, 0x42, 0x43, 0x77, 0x55, 0x41, 0x41, 0x34, 0x49, 0x42, 0x41, 0x51, 0x41, 0x4f, 0x57, 0x57, 0x63, 0x78, 0x70, 0x74, 0x46, 0x63, 0x30, 0x31, 0x74, 0x43, 0x37, 0x4c, 0x5a, 0x76, 0xa, 0x32, 0x66, 0x59, 0x2f, 0x45, 0x59, 0x38, 0x34, 0x55, 0x79, 0x6e, 0x46, 0x6b, 0x4d, 0x34, 0x47, 0x71, 0x6f, 0x49, 0x79, 0x41, 0x70, 0x2b, 0x67, 0x59, 0x30, 0x70, 0x49, 0x77, 0x48, 0x4e, 0x34, 0x69, 0x2f, 0x73, 0x68, 0x78, 0x50, 0x55, 0x62, 0x4e, 0x35, 0x39, 0x59, 0x34, 0x31, 0x30, 0x4f, 0x31, 0x34, 0x46, 0x33, 0x39, 0x56, 0x56, 0x4f, 0x50, 0x39, 0x49, 0x4a, 0x2f, 0x65, 0x62, 0x70, 0xa, 0x6a, 0x30, 0x55, 0x54, 0x6d, 0x35, 0x45, 0x79, 0x2b, 0x47, 0x71, 0x57, 0x7a, 0x6d, 0x67, 0x61, 0x34, 0x59, 0x6c, 0x41, 0x70, 0x38, 0x59, 0x45, 0x4e, 0x35, 0x45, 0x30, 0x46, 0x6f, 0x4b, 0x61, 0x4f, 0x5a, 0x52, 0x4b, 0x65, 0x54, 0x51, 0x52, 0x47, 0x34, 0x4b, 0x66, 0x7a, 0x41, 0x67, 0x58, 0x31, 0x35, 0x6c, 0x65, 0x6e, 0x51, 0x47, 0x70, 0x61, 0x4c, 0x6f, 0x35, 0x44, 0x65, 0x6e, 0x63, 0xa, 0x45, 0x4f, 0x65, 0x6f, 0x71, 0x49, 0x58, 0x6d, 0x35, 0x61, 0x33, 0x4c, 0x2f, 0x64, 0x48, 0x56, 0x6b, 0x4a, 0x43, 0x48, 0x41, 0x6d, 0x37, 0x36, 0x4c, 0x45, 0x4d, 0x41, 0x33, 0x52, 0x74, 0x55, 0x34, 0x44, 0x53, 0x71, 0x48, 0x4f, 0x61, 0x39, 0x39, 0x78, 0x63, 0x47, 0x45, 0x57, 0x42, 0x73, 0x36, 0x63, 0x74, 0x49, 0x51, 0x36, 0x71, 0x67, 0x56, 0x66, 0x66, 0x73, 0x4d, 0x37, 0x6e, 0x4b, 0xa, 0x68, 0x57, 0x4f, 0x74, 0x2b, 0x64, 0x74, 0x41, 0x42, 0x63, 0x44, 0x5a, 0x33, 0x4c, 0x52, 0x48, 0x4a, 0x62, 0x58, 0x46, 0x41, 0x42, 0x35, 0x4f, 0x79, 0x4b, 0x74, 0x39, 0x6d, 0x4b, 0x42, 0x50, 0x2b, 0x76, 0x62, 0x74, 0x63, 0x52, 0x79, 0x57, 0x46, 0x4a, 0x58, 0x35, 0x78, 0x52, 0x49, 0x36, 0x74, 0x73, 0x44, 0x35, 0x6d, 0x54, 0x64, 0x77, 0x74, 0x57, 0x64, 0x58, 0x76, 0x4b, 0x74, 0x72, 0xa, 0x46, 0x73, 0x47, 0x69, 0x64, 0x6a, 0x79, 0x63, 0x42, 0x49, 0x63, 0x72, 0x53, 0x71, 0x69, 0x54, 0x48, 0x6f, 0x2f, 0x47, 0x72, 0x72, 0x65, 0x50, 0x75, 0x4f, 0x50, 0x6e, 0x58, 0x39, 0x66, 0x46, 0x76, 0x39, 0x49, 0x4e, 0x6c, 0x4b, 0x54, 0x77, 0x37, 0x74, 0x53, 0x32, 0x69, 0x67, 0x37, 0x6f, 0x70, 0x75, 0x67, 0x77, 0x79, 0x42, 0x51, 0x74, 0x76, 0x32, 0x76, 0x75, 0x64, 0x7a, 0x6d, 0x6c, 0xa, 0x6e, 0x49, 0x78, 0x46, 0xa, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0x45, 0x4e, 0x44, 0x20, 0x43, 0x45, 0x52, 0x54, 0x49, 0x46, 0x49, 0x43, 0x41, 0x54, 0x45, 0x20, 0x52, 0x45, 0x51, 0x55, 0x45, 0x53, 0x54, 0x2d, 0x2d, 0x2d, 0x2d, 0x2d, 0xa}: csr key usages do not match specified usages, these should match if both are set: [[]certmanager.KeyUsage[3] != []certmanager.KeyUsage[4]]" "key"="default/kubernetes-pki-ca"

Expected behaviour: Certificate is “Ready”

Steps to reproduce the bug:

try:

---
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  name: "kubernetes-selfsigning-issuer"
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: "kubernetes-pki-ca"
spec:
  commonName: "kubernetes-pki-ca"
  secretName: "kubernetes-pki-ca"
  duration: 87600h # 3650d
  renewBefore: 8760h # 365d
  organization:
  - "kubernetes"
  usages:
  - "signing"
  - "digital signature"
  - "key encipherment"
  - "cert sign"
  isCA: true
  issuerRef:
    name: "kubernetes-selfsigning-issuer"
    kind: Issuer

or

---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: "kubernetes-selfsigning-issuer"
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: "kubernetes-pki-ca"
spec:
  commonName: "kubernetes-pki-ca"
  secretName: "kubernetes-pki-ca"
  duration: 87600h # 3650d
  renewBefore: 8760h # 365d
  subject:
    organizations:
    - "kubernetes"
  usages:
  - "signing"
  - "digital signature"
  - "key encipherment"
  - "cert sign"
  isCA: true
  issuerRef:
    name: "kubernetes-selfsigning-issuer"
    kind: Issuer

both are not working

Anything else we need to know?:

Environment details::

  • Kubernetes version v1.19.0
  • Cloud-provider/provisioner: kubeadm
  • cert-manager version: v1.0.0, v.1.0.1, v0.16.1
  • Install method: static manifests

/kind bug

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 15 (5 by maintainers)

Most upvoted comments

“Signing” and “digital signature” are the same, removing 1 of them will solve this. However our code should handle removing this double better.

/priority important-soon /area api

+1
meyskens on Sep 10, 2020
Read more comments on GitHub
← cert-manager: CRDs shouldn't be templated in Helm...
cert-manager: Current master version fails to request certificate →