Cert-manager: NET::ERR_CERT_AUTHORITY_INVALID on the issued certificate

Created on 14 May 2019  路  2Comments  路  Source: jetstack/cert-manager

GKE kubernetes version 1.12.6-gke.10

using the cert manager installed by kube-prod-runtime https://github.com/bitnami/kube-prod-runtime

When I install a cert using the ingress annotation 

kubernetes.io/tls-acme: "true"
certmanager.k8s.io/cluster-issuer: "letsencrypt-staging"

I get the following response from curl -vkI

 successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=sample-rails-app-development.mydomain.com
*  start date: May 14 00:00:50 2019 GMT
*  expire date: Aug 12 00:00:50 2019 GMT
*  issuer: CN=Fake LE Intermediate X1
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x559afbcb5900)
> HEAD / HTTP/2
> Host: sample-rails-app-development.mydomain.com
> User-Agent: curl/7.58.0
> Accept: */*

When I visit the URL in the browser I get

NET::ERR_CERT_AUTHORITY_INVALID
Subject: Kubernetes Ingress Controller Fake Certificate

Issuer: Kubernetes Ingress Controller Fake Certificate

Expires on: Apr 17, 2020

Current date: May 14, 2019
picture timuckun

All 2 comments

It looks like there is a more general issue here with your certificate being issued, as the certificate being used there is not issued by cert-manager (it's the in-built default, self signed certificate that ingress-nginx uses).

Can you run kubectl describe ingress,certificate to try and understand what part of the issuance flow is failing?

I'm going to close this issue as we try to funnel support requests via the Kubernetes Slack channel (slack.k8s.io). There's 1.8k other users there, and we'll be able to help get you up and running 馃槃

munnerz picture munnerz on 15 May 2019
👎13

I've got the same issue, it looks like the certificate have been created and issued:

Normal Requested 32m cert-manager Created new CertificateRequest resource "appapi-tls-secret-jcbj7"
Normal Issuing 31m cert-manager The certificate has been successfully issued

Normal CreateCertificate 32m cert-manager Successfully created Certificate "appapi-tls-secret"

But for some reason they are not being used:

NET::ERR_CERT_AUTHORITY_INVALID
Subject: Kubernetes Ingress Controller Fake Certificate

Issuer: Kubernetes Ingress Controller Fake Certificate

Expires on: 25 Jan 2022

Current date: 26 Jan 2021

PEM encoded chain:
-----BEGIN CERTIFICATE-----
MIIDcDCCAligAwIBAgIRAO2MCshe07MwZzLd65Ufh9YwDQYJKoZIhvcNAQELBQAw
SzEQMA4GA1UEChMHQWNtZSBDbzE3MDUGA1UEAxMuS3ViZXJuZXRlcyBJbmdyZXNz
IENvbnRyb2xsZXIgRmFrZSBDZXJ0aWZpY2F0ZTAeFw0yMTAxMjUxODAxMjZaFw0y
MjAxMjUxODAxMjZaMEsxEDAOBgNVBAoTB0FjbWUgQ28xNzA1BgNVBAMTLkt1YmVy
bmV0ZXMgSW5ncmVzcyBDb250cm9sbGVyIEZha2UgQ2VydGlmaWNhdGUwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDYKrIVhoettChy8BlJJ/6k42VmhNCg
sZ6/Wnk41GSHJjWrB5LpRNCONr+LXIV901qE3/e5ObgH4DbUVwPUZshEHSrrCRbq
DghIosZxfRPbod2kUHnF4/ewzDc+u2x0RzDm9IOOsYCeuxtX/75D4JXy1YW4BFFN
oCw+DpVJ6WPMoY5T39CoQrp3oqN1c8n+c9+V7I6465IBwmtbzuxTi60ZSJoKbIob
FQQBQdg7nEkJX9dHw5eXjyBtRyxJoa6oCUoaMtjcvKsublm3kLfOmuIZeZV7Ly5v
FTcAQoBq0FeSbx2kM3NCPbAO3m1XP0WU7FUdzss7YI86E+6XfKVJ8ZPzAgMBAAGj
TzBNMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMB
Af8EAjAAMBgGA1UdEQQRMA+CDWluZ3Jlc3MubG9jYWwwDQYJKoZIhvcNAQELBQAD
ggEBAHZ+8aTNZMSLR/2PiZeghVqjovdKY8z02s9g6nxtcBiW5+1qM87q37caW7Tv
j1MqQDEfxyhOoohc7f5fGtB2Qkje2qmvt5+nWCZGQEd3mdG/wXJslj6DGOqE1uST
6SnQkCWaFD6+W26s2G7j7qLRMdluFgev4RlmnTPY4Ykui+lFAE473QBCvKKxF60j
EiExICU6QkPrO4ALq0J2EOa8cn6vVDl1vSEX5O3YVa205i0h1QpTI43QBEk7IYsJ
C4p7+61C8h5Hi9JA4PZkMencuWin9K25oNnqlpVy5j9h2Q53jM9mC0VgMstr0fH/
xLHdNvsZSrY5Hsm7OqvOyJA0RWo=
-----END CERTIFICATE-----

NBroomfield picture NBroomfield on 26 Jan 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jbouzekri picture jbouzekri  路  4Comments
jbeda picture jbeda  路  4Comments
jonathan-kosgei picture jonathan-kosgei  路  4Comments
munjal-patel picture munjal-patel  路  3Comments
munnerz picture munnerz  路  4Comments