Cert-manager: Private ACME authority aka custom root certificate for ACME

Created on 6 Nov 2019 · 8Comments · Source: jetstack/cert-manager

General description

We have set up private ACME authority to issue certificates signed with our internal root certificate. Root certificate is added to system keystore, so commands like curl https://our.internal.domain work correctly on k8s host machine & all workers.

However, we are not able to use that ACME server with cert-manager: it simply does not know about our root.

Events:
  Type     Reason                Age              From          Message
  ----     ------                ----             ----          -------
  Warning  ErrVerifyACMEAccount  4s (x2 over 4s)  cert-manager  Failed to verify ACME account: Get https://our.internal.ca/acme/directory: x509: certificate signed by unknown authority
  Warning  ErrInitIssuer         4s (x2 over 4s)  cert-manager  Error initializing issuer: Get https://our.internal.ca/acme/directory: x509: certificate signed by unknown authority

This is pretty reasonable and is expected to happen.

Proposed solution

It seems that currently it's not possible to add custom trusted root certificate. Or at least it is not well-documented.

Ideally, there should be a way to specify root certificate along with issuer definition, like:

spec:
  acme:
    server: https://our.internal.ca/acme/directory
    rootCertificate: <reference either to configmap, secret, or just PEM encoded string>

However, adding root certificate cluster-wide is perfectly OK, I think.

Alternatives
None, really. Let's Encrypt won't issue certs for domains that don't even exist in public network :)

I have not tried to patch Docker images yet, but this seems to be most feasible way to solve this issue temporarily.

Specifying http:// instead of https:// (all in all, it's trusted network) as a workaround does not work either -- ACME client ignores protocol.

Environment details:

Self-hosted Kubernetes 1.15.0
cert-manager v0.11.0 installed by static manifests

areacme good first issue help wanted kinfeature prioritbacklog

Source

makkarpov

👍1

Most helpful comment

Solution was much simpler than I expected:

Create ConfigMap with single key: ca-certificates.crt and use desired CA certificates bundle as a value
Mount that ConfigMap over /etc/ssl/certs within a cert-manager Pod.

Voila,

Status:
  Acme:
    Last Registered Email:  [email protected]
    Uri:                    https://our.internal.ca/acme/account/CPdyUt....srXUVpKB
  Conditions:
    Last Transition Time:  2019-11-06T20:47:08Z
    Message:               The ACME account was registered with the ACME server
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>

However, I think that there should be a way to do this directly in Issuer definition.

makkarpov on 6 Nov 2019

👍2

All 8 comments

Solution was much simpler than I expected:

Create ConfigMap with single key: ca-certificates.crt and use desired CA certificates bundle as a value
Mount that ConfigMap over /etc/ssl/certs within a cert-manager Pod.

Voila,

Status:
  Acme:
    Last Registered Email:  [email protected]
    Uri:                    https://our.internal.ca/acme/account/CPdyUt....srXUVpKB
  Conditions:
    Last Transition Time:  2019-11-06T20:47:08Z
    Message:               The ACME account was registered with the ACME server
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>

However, I think that there should be a way to do this directly in Issuer definition.

makkarpov on 6 Nov 2019

👍2

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

retest-bot on 4 Feb 2020

/remove-lifecycle stale

makkarpov on 5 Feb 2020

Seems like a reasonable feature request that we'd be happy to include! Thanks for the comprehensive issue description and for sharing your workaround.

/kind feature
/help-wanted
/good-first-issue
/area acme
/priority backlog

munnerz on 20 Feb 2020

@munnerz:
This request has been marked as suitable for new contributors.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-good-first-issue command.

In response to this:

Seems like a reasonable feature request that we'd be happy to include! Thanks for the comprehensive issue description and for sharing your workaround.

/kind feature
/help-wanted
/good-first-issue
/area acme
/priority backlog

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.