cert-manager 0.15 not generating ECDSA private keys correctly

Created on 22 May 2020  路  11Comments  路  Source: jetstack/cert-manager

Describe the bug:
I upgraded cert-manager from 0.14 to 0.15 and it stopped issuing ECDSA private keys/certs properly. I've been using cert-manager to generate and auto-rotate ECDSA certificates for linkerd2
according to https://linkerd.io/2/tasks/automatically-rotating-control-plane-tls-credentials/
This has worked well until I upgraded to 0.15. 0.15 stopped issuing ECDSA keys and started issuing RSA keys. When I reverted to 0.14 ECDSA keys started to be issued properly.

Expected behaviour:
ECDSA private keys would be generated.

Steps to reproduce the bug:
Try to issue ECDSA certs/keys.

Anything else we need to know?:

Environment details::

  • Kubernetes version (e.g. v1.10.2): v1.18.3
  • Cloud-provider/provisioner (e.g. GKE, kops AWS, etc): bare metal
  • cert-manager version (e.g. v0.4.0): v0.15.0
  • Install method (e.g. helm or static manifests): helm

/kind bug

kinbug prioritimportant-soon
Source
picture jcollie
👍1

Most helpful comment

/priority important-soon
From what I know @munnerz is looking into this :smiley:

picture meyskens on 27 May 2020
👍2

All 11 comments

Are you using the new experimental controllers or the normal ones?

meyskens picture meyskens on 25 May 2020

Are you using the new experimental controllers or the normal ones?

The new experimental ones.

jcollie picture jcollie on 25 May 2020

Same issue

liorhasson picture liorhasson on 26 May 2020

Hey,
Also when using version 0.14, it only issuing RSA private keys/certs properly, instead of ECDSA ones.

Installation link: kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.0/cert-manager.yaml

Certificate:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: linkerd-identity-issuer
  namespace: linkerd
spec:
  secretName: linkerd-identity-issuer
  issuerRef:
    name: linkerd-trust-anchor
    kind: ClusterIssuer
  commonName: *****.com
  isCA: true
  keyAlgorithm: ecdsa
  dnsNames:
  - *****.com
  - *****.com

What am I doing wrong?

liorhasson picture liorhasson on 26 May 2020

/priority important-soon
From what I know @munnerz is looking into this :smiley:

meyskens picture meyskens on 27 May 2020
👍2

@jcollie did you managed to integrate Linkerd with cert-manager?

liorhasson picture liorhasson on 31 May 2020

@jcollie did you managed to integrate Linkerd with cert-manager?

Yes, 0.14 has been working quite well.

jcollie picture jcollie on 31 May 2020

Thanks @jcollie,
Can you guide me, what am I doing wrong in the following resources:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: linkerd-identity-issuer
  namespace: linkerd
spec:
  secretName: linkerd-identity-issuer
  issuerRef:
    name: linkerd-trust-anchor
    kind: ClusterIssuer
  commonName: *****.com
  isCA: true
  keyAlgorithm: ecdsa
  dnsNames:
  - *****.com
  - *****.com

apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: linkerd-trust-anchor
  namespace: linkerd
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: ****@****
    privateKeySecretRef:
      name: linkerd-trust-anchor
    solvers:
    - selector:
      dns01:
        route53:
          region: us-east-2
          hostedZoneID: *****
          accessKeyID: *****
          secretAccessKeySecretRef:
            name: acme-route53
            key: secret-access-key

@munnerz

liorhasson picture liorhasson on 1 Jun 2020

I ran into the same problem, it looks like cert-manager creates BEGIN PRIVATE KEY resp. END PRIVATE KEY instead of the more specific BEGIN EC PRIVATE KEY resp. END EC PRIVATE KEY. Basically, the key type (EC or RSA) is missing in the PEM block header/footer. Linkerd2 expects the key type to be present otherwise it will fail (see https://github.com/linkerd/linkerd2/blob/master/pkg/tls/codec.go#L52).
So, it looks like it creates PKCS8 formatted key instead of PKCS1 formatted one. Turning off the new experimental controller solved the problem for me.

alex-berger picture alex-berger on 14 Jun 2020

@alex-berger I tested this with:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: ecdsa-test
spec:
  # Secret names are always required.
  secretName: ecdsa-test
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  keyAlgorithm: ecdsa
  keyEncoding: pkcs1

And I do get:

-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIGfFpm2agMeXHr4dcghA4bxhB+ZwQIAcKnh6Yp10ohcIoAoGCCqGSM49
AwEHoUQDQgAELDKvCrJJMVM7lxseHiuv9OP1zX2HNlVXUw2rzBHp07v+fWxJDLwa
eIEalk48I0mkTcB5dduKlHVNdwaFvi2SYQ==
-----END EC PRIVATE KEY-----

However I am using a version built from master (with experimental, well soon to be the normal controllers). Once v0.16.alpha.0 is out do you mind testing this?

meyskens picture meyskens on 1 Jul 2020
👍1

I can confirm that 0.16 fixes this issue for me.

jcollie picture jcollie on 2 Aug 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Azylog picture Azylog  路  3Comments
caiobegotti picture caiobegotti  路  4Comments
r0bj picture r0bj  路  3Comments
gaieges picture gaieges  路  3Comments
jakubknejzlik picture jakubknejzlik  路  3Comments