Cert-manager: Failed to create Order: malformed: No Key ID in JWS header

Created on 6 Oct 2020  路  7Comments  路  Source: jetstack/cert-manager

Describe the bug:
Certificate-request fails to create order reporting malformed: No Key ID in JWS header
cert-manager version 1.0.2
ClusterIssuer resource is created successfully for DigiCert as ACME cert issuer.

$kubectl describe clusterissuer
Name:         digicert-issuer
Namespace:    
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"cert-manager.io/v1","kind":"ClusterIssuer","metadata":{"annotations":{},"name":"digicert-issuer"},"spec":{"acme":{"external...
API Version:  cert-manager.io/v1
Kind:         ClusterIssuer
Metadata:
  Creation Timestamp:  2020-09-25T22:46:21Z
  Generation:          1
  Resource Version:    11598738
  Self Link:           /apis/cert-manager.io/v1/clusterissuers/digicert-issuer
  UID:                 327336be-176d-4276-a2c8-83538fdd6087
Spec:
  Acme:
    External Account Binding:
      Key Algorithm:  HS384
      Key ID:         <key-id>
      Key Secret Ref:
        Key:          secret
        Name:         eab-secret
    Preferred Chain:  
    Private Key Secret Ref:
      Name:           dummy
    Server:           https://acme.digicert.com/v2/acme/directory
    Skip TLS Verify:  true
    Solvers:
      dns01:
        route53:
          Access Key ID:   <access-key>
          Hosted Zone ID:  <zone-id>
          Region:          <region>
          Secret Access Key Secret Ref:
            Key:   key
            Name:  awskey
      Selector:
        Dns Zones:
          <zone>
Status:
  Acme:
    Uri:  https://acme.digicert.com/v2/acme/account/<account>
  Conditions:
    Last Transition Time:  2020-09-25T22:46:22Z
    Message:               The ACME account was registered with the ACME server
    Reason:                ACMEAccountRegistered
    Status:                True
    Type:                  Ready
Events:                    <none>

$kubectl describe order -n cert-manager
Name:         new-crt-2200110916
Namespace:    cert-manager
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration:
                {"apiVersion":"cert-manager.io/v1","kind":"CertificateRequest","metadata":{"annotations":{},"name":"new-crt","namespace":"cert-manager"},"...
API Version:  acme.cert-manager.io/v1
Kind:         Order
Metadata:
  Creation Timestamp:  2020-10-05T23:32:47Z
  Generation:          1
  Owner References:
    API Version:           cert-manager.io/v1
    Block Owner Deletion:  true
    Controller:            true
    Kind:                  CertificateRequest
    Name:                  new-crt
    UID:                   93870a06-310f-4889-83cb-9f3252002c8f
  Resource Version:        13926987
  Self Link:               /apis/acme.cert-manager.io/v1/namespaces/cert-manager/orders/new-crt-2200110916
  UID:                     d09983db-de81-4c06-af81-c195a4b0c143
Spec:
  Common Name:  <common name>
  Dns Names:
    <common name>
  Issuer Ref:
    Group:  cert-manager.io
    Kind:   ClusterIssuer
    Name:   digicert-issuer
  Request:  <CSR>
Status:
  Failure Time:  2020-10-06T09:32:56Z
  Reason:        **Failed to create Order: 400 malformed: No Key ID in JWS header**
  State:         errored
Events:          <none>

Expected behaviour:
Certificate request creates Order for certificate from Issuer.

Steps to reproduce the bug:

  • Install cert-manger 1.0.2
  • Configure ClusterIssuer or Issuer for ACME Issuer Type using External Account Binding credentials
  • Create certificate request.

Anything else we need to know?:

Environment details::

  • Kubernetes version (e.g. v1.10.2): 1.16.13
  • Cloud-provider/provisioner (e.g. GKE, kops AWS, etc): AWS EKS
  • cert-manager version (e.g. v0.4.0): 1.0.2
  • Install method (e.g. helm or static manifests): helm
$kubectl version
Client Version: version.Info{Major:"1", Minor:"16", GitVersion:"v1.16.9", GitCommit:"a17149e1a189050796ced469dbd78d380f2ed5ef", GitTreeState:"clean", BuildDate:"2020-04-16T11:44:51Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"16+", GitVersion:"v1.16.13-eks-2ba888", GitCommit:"2ba888155c7f8093a1bc06e3336333fbdb27b3da", GitTreeState:"clean", BuildDate:"2020-07-17T18:48:53Z", GoVersion:"go1.13.9", Compiler:"gc", Platform:"linux/amd64"}

/kind bug

kinbug
Source
picture ragurakesh

All 7 comments

Possible duplicate of https://github.com/jetstack/cert-manager/issues/2561 ?

meyskens picture meyskens on 6 Oct 2020

@meyskens Likely, but recreate of ClusterIssuer resource doesn't help. Also here its CA Issuer is DigiCert

ragurakesh picture ragurakesh on 6 Oct 2020

Not sure if it could be related to Digicert, I do not have access to their ACME endpoint so cannot try to replicate it on my setup. Not sure if there are any other cert-manager users using digicert.

meyskens picture meyskens on 8 Oct 2020

@ragurakesh I'm also getting the same issue when using DigiCert with ACME. Did you manage to get anywhere with this?

tl-eddie-hoffman picture tl-eddie-hoffman on 21 Dec 2020

@tl-eddie-hoffman @ragurakesh
Here is a KB link. See if it works for you.
https://knowledge.digicert.com/solution/Configure-cert-manager-and-DigiCert-ACME-service-with-Kubernetes.html

suhail-sullad picture suhail-sullad on 5 Jan 2021
👍1

Closing this one as a KB article got added

/close

meyskens picture meyskens on 6 Jan 2021
👍1

@meyskens: Closing this issue.

In response to this:

Closing this one as a KB article got added

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

jetstack-bot picture jetstack-bot on 6 Jan 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jbeda picture jbeda  路  4Comments
munnerz picture munnerz  路  4Comments
f-f picture f-f  路  4Comments
jbartus picture jbartus  路  4Comments
munjal-patel picture munjal-patel  路  3Comments