Cert-manager: Cert-manager - Failed to decode returned certificate

The error you're seeing is due to configuring the incorrect endpoint to request certificates from in your Vault issuer. Note here: https://cert-manager.io/docs/configuration/vault/#deployment Path is the Vault path that will be used for signing. Note that the path must use the sign endpoint.

You should adjust the following in order to make it work:

spec:
  vault:
    path: linca/sign/web-certs

The error occurs because when using the issue endpoint, the Vault server will generate a private key, which we attempt to decode as an x509 certificate which obviously fails. cert-manager must be responsible for private key generation, so the sign endpoint is required :)

Also, why is not pkcs12 supported?

See https://github.com/jetstack/cert-manager/issues/586

/area vault
/triage support
/remove-kind bug

Hi, thank you for fast response!
I am kind a new in this, so sorry for this issue.

Well, it makes sense now, but I am still not sure, what is meant to be web-certs

And I got one more question, in vault-issuer should be base64 encoded Linca CA Bundle PEM file. Actually I have two possibilities to paste:
1) linca_ca.pem
2) linca_ca_chain.pem

Chain is quite longer and issuer looks that it does not care which one is used.

Well, it makes sense now, but I am still not sure, what is meant to be web-certs

This guide seems like it was written a while ago, but contains some info on how to configure the PKI backend in Vault:

https://www.arctiq.ca/our-blog/2019/4/1/how-to-use-vault-pki-engine-for-dynamic-tls-certificates-on-gke/

You need to 'mount' a PKI backend into your Vault instance which will then be used to retrieve certificates 😄

And I got one more question, in vault-issuer should be base64 encoded Linca CA Bundle PEM file. Actually I have two possibilities to paste:

Using the chain is _usually_ the most appropriate, as this contains intermediate CAs that are used for validating the certificate the vault server presents. If either works though, then great 😄

Hope that helps! There's also the Slack channel over on slack.k8s.io (#cert-manager) if you're still running into problems!

Well, I got it and it works! 😃

Thank you for your advices.

Hello @munnerz, Im having the same error message here but my endpoint is pki-k8s-usercert/issue/nsv-leke-dev and not pki-k8s-usercert/sign/nsv-leke-dev

```
The certificate request has failed to complete and will be retried: Failed to decode returned certificate: error parsing TLS certificate: asn1: structure error: tags don't match (16 vs {class:0 tag:2 length:1 isCompound:false}) {optional:false explicit:false application:false private:false defaultValue: tag: stringType:0 timeType:0 set:false omitEmpty:false} tbsCertificate @2
Vault Issuer configfile::::
apiVersion: cert-manager.io/v1alpha3
kind: Issuer
metadata:
name: vault-issuer
namespace: cert-manager
spec:
# This describes the vault namespace, path,location, caBundle and authentication method
vault:
namespace: ngc
path: pki-k8s-usercert/issue/nsv-leke-dev
server: https://prod.vault.leke.com
caBundle: >
LS0tL*fssffd*
auth:
#Here, cert-manager will be using appRole to authenticate with the vault. This represent the userID for the authentication
appRole:
path: approle
# RoleID to athenticate with the vault
roleId: "c83*"
# A base64 encoded secret key which serve as the password for the approle. This secret is also created separately and its been referenced here
secretRef:
name: cm-vault-approle
key: secretId
My Certificate configfile
apiVersion: cert-manager.io/v1alpha3
kind: Certificate
metadata:
name: dev-leke-com-tls
namespace: cert-manager
spec:
# This is secret that specifies where the signed certificate should be stored when its obtained from the vault
secretName: leke-com
# this reference the Vault that will issue the certificate
issuerRef:
name: vault-issuer
kind: ClusterIssuer
group: cert-manager.io
# the dns of the cluster url
commonName: dev.leke.com
dnsNames:

• dev.leke.com