Cert-manager: CA Issuer's certificate is not bundled with certificate
Describe the bug:
CA Issuer's certificate is no longer bundled with the resulting issued certificate.
Expected behaviour:
The CA Issuer's certificate is bundled within tls.crt.
Steps to reproduce the bug:
- Create a CA Issuer
- Create a Certificate using the CA Issuer as the issuerRef
- View the resulting tls.crt in the secret
Anything else we need to know?:
Environment details:
- Kubernetes version (e.g. v1.10.2): 1.12
- cert-manager version (e.g. v0.4.0): 0.7.0
- Install method (e.g. helm or static manifests): helm
/kind bug
Crystal-Chun
All 4 comments
The actual CA itself is purposely not included as part of the tls.crt section, in favour of storing it only in the ca.crt field.
The intermediate certificate will be included if it exists however, meaning the tls.crt should form a certificate chain to the root (ca.crt).
Hope that makes sense, and please let me know if that isn't what you are seeing!
munnerz
on 17 Apr 2019
Thanks for clarifying @munnerz! In previous releases, the ca.crt was bundled, correct? If so, what was the reason this has changed?
I ask this because we were previously using cert-manager 0.5.0 where it seemed like the ca.crt was bundled into tls.crt. Another service used the tls.crt to obtain the ca.crt bundled within it, and the new changes now would break them.
Crystal-Chun
on 17 Apr 2019
Presumably, your issuer is configured with a self signed root? If so, there's an explicit check since v0.6 that excludes self signed roots being a part of certificate chains: https://github.com/jetstack/cert-manager/blob/2f99b3155acb8fe61400c0cdae0196d1c08f5630/pkg/util/pki/csr.go#L250-L253
The pull request that changed this: https://github.com/jetstack/cert-manager/pull/1077
munnerz
on 17 Apr 2019
Thank you for pointing me to the information @munnerz
Crystal-Chun
on 22 Apr 2019
Related issues
jbeda
路
4Comments
r0bj
路
3Comments
f-f
路
4Comments
munnerz
路
4Comments
matthew-muscat
路
4Comments