cert-manager: The certificate request has failed to complete and will be retried: Failed to decode returned certificate: error decoding certificate PEM block
Hello! I try to get certificate from cert-manager for linkerd use and have problem. I create vault issuer, and certificate. Certificate creates, but Certificate has False status and I see many certificates in vault, for each iteration of create certificate with cert-manager.
$ kubectl get issuers.cert-manager.io -n linkerd
NAME READY AGE
linkerd-trust-anchor True 54m
$ kubectl get certificates.cert-manager.io -n linkerd
NAME READY SECRET AGE
linkerd-identity-issuer False linkerd-identity-issuer 54m
$ kubectl describe certificate -n linkerd linkerd-identity-issuer
...
Status:
Conditions:
Last Transition Time: 2021-06-25T13:49:26Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: False
Type: Ready
Last Transition Time: 2021-06-25T13:49:27Z
Message: The certificate request has failed to complete and will be retried: Failed to decode returned certificate: error decoding certificate PEM block
Observed Generation: 1
Reason: Failed
Status: False
Type: Issuing
Last Failure Time: 2021-06-25T13:49:27Z
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Issuing 55m cert-manager Issuing certificate as Secret does not exist
Normal Generated 55m cert-manager Stored new private key in temporary Secret resource "linkerd-identity-issuer-rdsss"
Normal Requested 54m cert-manager Created new CertificateRequest resource "linkerd-identity-issuer-bvzfm"
Warning Failed 54m cert-manager The certificate request has failed to complete and will be retried: Failed to decode returned certificate: error decoding certificate PEM block
# Source: linkerd-issuers/templates/issuers.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: linkerd-trust-anchor
namespace: linkerd
---
# Source: linkerd-issuers/templates/issuers.yaml
apiVersion: v1
kind: Secret
metadata:
name: linkerd-trust-anchor-secret
namespace: linkerd
annotations:
kubernetes.io/service-account.name: linkerd-trust-anchor
type: kubernetes.io/service-account-token
---
# Source: linkerd-issuers/templates/certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-identity-issuer
namespace: linkerd
spec:
secretName: linkerd-identity-issuer
duration: 48h
renewBefore: 25h
issuerRef:
name: linkerd-trust-anchor
kind: Issuer
commonName: identity.linkerd.cluster.local
dnsNames:
- identity.linkerd.cluster.local
isCA: true
privateKey:
algorithm: ECDSA
size: 256
usages:
- cert sign
- crl sign
- server auth
- client auth
---
# Source: linkerd-issuers/templates/issuers.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: linkerd-trust-anchor
namespace: linkerd
spec:
vault:
path: linkerd/sign/linkerd-trust-anchor
server: https://myvaultaddr/
auth:
kubernetes:
role: linkerd-trust-anchor
mountPath: /v1/auth/kubernetes-new
secretRef:
name: linkerd-trust-anchor-secret
key: token
Expected behaviour: I must see linkerd-identity-issuer secret in linkerd namespace and READY status of Certificate true
Steps to reproduce the bug: I use this guides for setup vault issuer and this commands: https://cert-manager.io/docs/configuration/vault/ https://linkerd.io/2.10/tasks/automatically-rotating-control-plane-tls-credentials/# https://learn.hashicorp.com/tutorials/vault/kubernetes-cert-manager?in=vault/kubernetes#configure-pki-secrets-engine
$ vault secrets enable -path linkerd pki
$ vault secrets tune -max-lease-ttl=175200h linkerd
$ vault write linkerd/root/generate/internal common_name=identity.linkerd.cluster.local key_type=ec key_bits=256 ttl=175200h
$ vault write linkerd/config/urls issuing_certificates="https://myvaultaddr/v1/linkerd/ca" url_distribution_points="https://myvaultaddr/v1/linkerd/crl"
$ vault write linkerd/roles/linkerd-trust-anchor allowed_domains=cluster.local allow_subdomains=true max_ttl=48h key_type=ec key_bits=256
$ vault policy write linkerd-trust-anchor - <<EOF
path "linkerd*" { capabilities = ["read", "list"] }
path "linkerd/roles/linkerd-trust-anchor" { capabilities = ["create", "update"] }
path "linkerd/sign/linkerd-trust-anchor" { capabilities = ["create", "update"] }
path "linkerd/issue/linkerd-trust-anchor" { capabilities = ["create"] }
EOF
$ vault write auth/kubernetes-new/role/linkerd-trust-anchor bound_service_account_names=linkerd-trust-anchor bound_service_account_namespaces=linkerd policies=linkerd-trust-anchor ttl=20m
Anything else we need to know?:
Environment details::
- Kubernetes version: v1.21.0
- cert-manager version: v1.4.0
- Install method: helm
/kind bug
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Comments: 17 (6 by maintainers)
Commits related to this issue
- fix check for self-signed certs in EncodeX509Chain see also https://github.com/jetstack/cert-manager/issues/4142 EncodeX509Chain checked for self-signed certs by comparing the subject and issuer of ... — committed to SgtCoDFish/cert-manager by SgtCoDFish 3 years ago
- fix check for self-signed certs in EncodeX509Chain see also https://github.com/jetstack/cert-manager/issues/4142 EncodeX509Chain checked for self-signed certs by comparing the subject and issuer of ... — committed to SgtCoDFish/cert-manager by SgtCoDFish 3 years ago
- fix check for self-signed certs in EncodeX509Chain see also https://github.com/jetstack/cert-manager/issues/4142 EncodeX509Chain checked for self-signed certs by comparing the subject and issuer of ... — committed to jetstack-bot/cert-manager by SgtCoDFish 3 years ago
- Release 1.5 (#6) * Remove CA annotation being set on Venafi CertificateSigningRequest controller Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com> * Adds comment about what the pickup ID is i... — committed to adobe-platform/cert-manager by eadasiak 3 years ago
- Release 1.5.3 (#7) * Adds random domain suffix to Venafi e2e tests Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com> * Change CSRModifer in Kube CSR conformance tests to be a function in defi... — committed to adobe-platform/cert-manager by eadasiak 3 years ago
- Release 1.5 (#6) * Remove CA annotation being set on Venafi CertificateSigningRequest controller Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com> * Adds comment about what the pickup ID is in the... — committed to eadasiak/cert-manager by eadasiak 3 years ago
- Release 1.5.3 (#7) * Adds random domain suffix to Venafi e2e tests Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com> * Change CSRModifer in Kube CSR conformance tests to be a function in defi... — committed to eadasiak/cert-manager by eadasiak 3 years ago
- Update to 1.5.4 on top of release-1.5-adobe branch Release 1.5 (#6) * Remove CA annotation being set on Venafi CertificateSigningRequest controller Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com>... — committed to eadasiak/cert-manager by eadasiak 3 years ago
- Continuation of jetstack v1.5.4 on top of release-1.5-adobe Release 1.5.3 (#7) * Adds random domain suffix to Venafi e2e tests Signed-off-by: joshvanl <vleeuwenjoshua@gmail.com> * Change CSRModifer... — committed to eadasiak/cert-manager by eadasiak 3 years ago
I can confirm this is a bug in these functions introduced in cert-manager 1.4. It can be reproduced in unit tests with the following patch applied against the master branch:
cert-manager 1.4.1 has just been released, which includes the fix for this issue š
Thank you to everyone involved in raising it and providing the details we needed to diagnose it and fix it!
For reference, the actual bug has been in cert-manager since Jan 2019:
https://github.com/jetstack/cert-manager/blob/f489c7df0210c5066a057344265cf614d72ba0ee/pkg/util/pki/csr.go#L464-L479
specifically these lines.
cert-manager 1.4 just started using this older function in other places, which surfaced the old bug.
Iāll raise a PR to fix; weāll almost certainly release cert-manager 1.4.1 as a bugfix release for this
Hi @maelvls, thanks a lot for looking into the issue. For me the issue is happening not due to using vault. I have a self-signed issuer created root CA, which then use to sign leaf certificate. Example manifest:
But when I changed the ācommonNameā between CA and the certificate, Iām able to create the certificate.
BTW, as already mentioned here using different ācommonNameā is only a worst case option for us.
@rumanzo I was able to reproduce the issue using Vault v1.7.3 and cert-manager v1.4.0. I also tested with cert-manager v1.3.1 and it does not have the issue. That looks like a regression.
Steps I took:
Then, the manifests:
The error:
As @SgtCoDFish suggested during this morningās standup, we need to āknowā what Vault is returning in order to investigate. Here is the call made by cert-manager to vault (using
mitmproxy):The returned
certificateseems OK:The
issuing_ca:We are also facing the same issue. Unfortunately changing the CN between CA and certificate is not an option for us. Is it possible to fix this issue in a coming version?
You are right, itās old part of code. But in version <v1.4.0 this part not used with vault issuer
@rumanzo not sure what you mean. Isnāt issuer and CA the same thing in your case? Anyways, as far as I know CN must be different within the same subject (obviously to distinguish between different certs).
Looks like Iāve stumbled on the same issue. 1.3.1 worked, but I still donāt understand whatās the reason. @rumanzo youāve posted a link where RawIssuer and RawSubject are checked - does it mean that it compares issuer subject and request subject? Iām not providing commonName at all and use only dnsNames.
Edit: did some tests and everything confirmed, if subject is the same for issuer and requested cert it doesnāt work and this is the only reason.
And finally, this is correct (different common_name)
Itāis not a bug, but feature request to improve logging