Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem with certificate in route sinced a changed has been made in cert-manager #119

Open
whitelion-github opened this issue Feb 16, 2022 · 12 comments
Open

Problem with certificate in route sinced a changed has been made in cert-manager #119

whitelion-github opened this issue Feb 16, 2022 · 12 comments

Comments

@whitelion-github
Copy link

We opened an issue to jetstack guy, about a changed they've made recently in cert-manager.
See our case : cert-manager/cert-manager#4829.

Problem since we upgrade from cert-manager 1.2.0 to 1.6.1

To make a short story, root ca is not available anymore in tls.crt in the output secret generated by cert-manager, only sub ca. In our case, to make it work, we need root ca or full chain (root & sub).

When the route is call, the client (aws api gateway) ask that there is a root ca at then end and it's not the case.
If we had the annotation inject-CA: 'True' in the route, we have root ca in caCertificate section and sub ca in certificate section (root and sub are split / not together full chain) and it does not work either.

Do you plan a change to adapt to this change made by cert-manager ?
@raffaelespazzoli
Copy link
Contributor

raffaelespazzoli commented Feb 16, 2022 via email

@whitelion-github
Copy link
Author

I will go, with a concrete example of my config and my route with cert-manager 1.6.1

kind: route
annotations:
cert-utils-operator.hydroquebec.com/certs-from-secret: cert-secret
cert-utils-operator.hydroquebec.com/destinationCA-from-secret: cert-secret

kind: secret cert-secret (secret created by cert-manager)
[ca.crt]
root ca
[tls.crt]
signed certificate
sub ca

final route populate by cert-util-operator

tls:
certificate:
public cert
sub cert (in earlier version 1.22, root was also here = full chain)
key:
private key
destinationCACertificate:
sub cert

Before change, tls.crt had ful chain (cert + root + sub) and populate certifiacte of my route. Now, it's not the case. Whatever I do, I will never be able to have full chain.

If I had annotation inject-CA: 'True', it will had
tls :
...
caCertificate in my route with only the root ca. Since the root ca and the sub are separate, it does not work either.

1 similar comment
@whitelion-github
Copy link
Author

I will go, with a concrete example of my config and my route with cert-manager 1.6.1

kind: route
annotations:
cert-utils-operator.hydroquebec.com/certs-from-secret: cert-secret
cert-utils-operator.hydroquebec.com/destinationCA-from-secret: cert-secret

kind: secret cert-secret (secret created by cert-manager)
[ca.crt]
root ca
[tls.crt]
signed certificate
sub ca

final route populate by cert-util-operator

tls:
certificate:
public cert
sub cert (in earlier version 1.22, root was also here = full chain)
key:
private key
destinationCACertificate:
sub cert

Before change, tls.crt had ful chain (cert + root + sub) and populate certifiacte of my route. Now, it's not the case. Whatever I do, I will never be able to have full chain.

If I had annotation inject-CA: 'True', it will had
tls :
...
caCertificate in my route with only the root ca. Since the root ca and the sub are separate, it does not work either.

@whitelion-github
Copy link
Author

I will go, with a concrete example of my config and my route with cert-manager 1.6.1

kind: route
annotations:
cert-utils-operator.hydroquebec.com/certs-from-secret: cert-secret
cert-utils-operator.hydroquebec.com/destinationCA-from-secret: cert-secret

kind: secret cert-secret (secret created by cert-manager)
[ca.crt]
root ca
[tls.crt]
signed certificate
sub ca

final route populate by cert-util-operator

tls:
certificate:
public cert
sub cert (in earlier version 1.22, root was also here = full chain)
key:
private key
destinationCACertificate:
sub cert

Before change, tls.crt had ful chain (cert + root + sub) and populate certifiacte of my route. Now, it's not the case. Whatever I do, I will never be able to have full chain.

If I had annotation inject-CA: 'True', it will had
tls :
...
caCertificate in my route with only the root ca. Since the root ca and the sub are separate, it does not work either.

@whitelion-github
Copy link
Author

Identation not good...

@whitelion-github
Copy link
Author

Hope you'll understand the explanation.

@whitelion-github
Copy link
Author

The point is how can you polulate the fullchain (root/sub) together by using cert-util-operator if cert-manager secret separate root and sub.

@raffaelespazzoli
Copy link
Contributor

I understand the point, I don't understand the issue still.
Let's start from the beginning, do you get the ca.crt from cert-manager?
if so, do you set the inject-CA to true?

@whitelion-github
Copy link
Author

Yes we got the ca.crt (containing only public root cert)
With cert-manager 1.2.0 we were not using inject-CA annotation because full chain certificate were avalaible in tls.crt, so we were ok using only certs-from-secret annotation. In the route, we add the complete chain in certificate section.
It's not the case anymore.

Use annotation inject-CA to true does not solve the probleme because, the sub and the root are separated.

kind: route

certificate (populate using certs-from-secret annotation)
signed certificate
sub

caCertificate (populate using inject-CA annotation)
root

@raffaelespazzoli
Copy link
Contributor

Use annotation inject-CA to true does not solve the problem because, the sub and the root are separated.
This shouldn't be the case, my understanding is that the route should present a certificate that is the merge of the ca.crt and tls.crt. You are basically saying that the ca.crt is being ignored, correct?
Then what configuration would work for you? This sounds more like a OCP issue than cert-utils. What version of OCP do you have?

@whitelion-github
Copy link
Author

You're right, ca.crt et tls.crt is a merge of the signe certificate with it's CA. The CA chain must stay together.

I should have in ocp route, sub and root in the same definition block under tls. The merge of certificate block (signed certificate) and caCertificate block with root and sub is working if I manually provision the route.

But I can't explain why the merge of the certificate block with sub and caCertificate block with root don't gives a good configuration. I think sub and root must stay together, it's a chain, it makes sense to keep it together.

As I say, we need to find a way to get sub&root as a chain in the same route definition block.

If I go further, why ca.crt does not contain both ca & sub certificate and tls.crt only signed certificate ? It would solve the problem. A question I should asked to jetstack team.

OCP : 4.8

@whitelion-github whitelion-github mentioned this issue Feb 23, 2022
Closed
@whitelion-github
Copy link
Author

How we succeeded to solve this issue. We fork the cert-util-operator code to manipulate certificate in the route. We now always use inject-CA : true in our route. The new code remove intermediate (sub) ca from "certificate" section. After, it copy this certificate in "caCertificate" where we already have root certificate, so we can have the two certificates (ca and sub) together. Works this way.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@raffaelespazzoli @whitelion-github