Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

certificate chain is malformed #7037

Closed
bpk37 opened this issue May 16, 2024 · 3 comments
Closed

certificate chain is malformed #7037

bpk37 opened this issue May 16, 2024 · 3 comments

Comments

@bpk37
Copy link

bpk37 commented May 16, 2024
edited

I am running quay.io/jetstack/cert-manager-controller:v1.14.5. I am testing cert-manager integration with both Vault and EJBCA.

Both Vault and EJBCA return certs in a key/value format like:

Key Value
--- -----
ca_chain -----BEGIN CERTIFICATE----- ...
certificate -----BEGIN CERTIFICATE----- ...
issuing_ca -----BEGIN CERTIFICATE----- ...
private_key -----BEGIN RSA PRIVATE KEY----- ..
private_key_type rsa
serial_number ...

The issue is when you have a ca_chain it appears like:

ca_chain [-----BEGIN CERTIFICATE-----
MIIDNDCCAhygAwIBAgIUWo1WPzMJIuqXzSRcfc5FowTWVGIwDQYJKoZIhvcNAQEL
...
-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDNTCCAh2gAwIBAgIUZyLYZCVPKVqHf0hxrw5DYtNHewMwDQYJKoZIhvcNAQEL
...
-----END CERTIFICATE-----]

I get the following errors:

With Vault:
Vault failed to sign certificate: failed to parse certificate chain from vault: certificate chain is malformed or broken

With EJBCA:
failed to sign: certificate chain is malformed or broken

This was tested three different ways all resulting in the same error. CM connected to EJBCA, CM connect to Vault and using Vault's pki, and CM connected to Vault and using EJBCA.

The problem looks to be that in the ca_chain between END and BEGIN there is only a space and not a new line. This appears to be a standard format and a format CM should be able to parse.

/kind bug
@inteon
Copy link
Member

inteon commented May 17, 2024

Could you explain where ca_chain comes from?

@bpk37
Copy link
Author

bpk37 commented May 17, 2024
edited

It is part of the cert reply when doing an issue/sign. It is one of the key value pairs returned. I should have included it in the example, I just updated the example. There are two certs in the chain because there is a root ca and a sub/intermediate ca. The issue/sign command is talking to the sub/intermediate ca.

@bpk37
Copy link
Author

bpk37 commented May 28, 2024

After more testing I did get CM connect to Vault and using Vault's pki to work with a subca. But CM connected to EJBCA and CM connected to Vault and using EJBCA with subca both failed. The issue seems to be on the EJBCA side. I got around this issue by setting up the root in EJBCA but the subca in Vault using its internal pki and linking it to the EJBCA root. CM was then connected to the Vault subca and it worked.

@bpk37 bpk37 closed this as completed May 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@inteon @bpk37