You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
With Vault:
Vault failed to sign certificate: failed to parse certificate chain from vault: certificate chain is malformed or broken
With EJBCA:
failed to sign: certificate chain is malformed or broken
This was tested three different ways all resulting in the same error. CM connected to EJBCA, CM connect to Vault and using Vault's pki, and CM connected to Vault and using EJBCA.
The problem looks to be that in the ca_chain between END and BEGIN there is only a space and not a new line. This appears to be a standard format and a format CM should be able to parse.
/kind bug
The text was updated successfully, but these errors were encountered:
It is part of the cert reply when doing an issue/sign. It is one of the key value pairs returned. I should have included it in the example, I just updated the example. There are two certs in the chain because there is a root ca and a sub/intermediate ca. The issue/sign command is talking to the sub/intermediate ca.
After more testing I did get CM connect to Vault and using Vault's pki to work with a subca. But CM connected to EJBCA and CM connected to Vault and using EJBCA with subca both failed. The issue seems to be on the EJBCA side. I got around this issue by setting up the root in EJBCA but the subca in Vault using its internal pki and linking it to the EJBCA root. CM was then connected to the Vault subca and it worked.
I am running quay.io/jetstack/cert-manager-controller:v1.14.5. I am testing cert-manager integration with both Vault and EJBCA.
Both Vault and EJBCA return certs in a key/value format like:
Key Value
--- -----
ca_chain -----BEGIN CERTIFICATE----- ...
certificate -----BEGIN CERTIFICATE----- ...
issuing_ca -----BEGIN CERTIFICATE----- ...
private_key -----BEGIN RSA PRIVATE KEY----- ..
private_key_type rsa
serial_number ...
The issue is when you have a ca_chain it appears like:
ca_chain [-----BEGIN CERTIFICATE-----
MIIDNDCCAhygAwIBAgIUWo1WPzMJIuqXzSRcfc5FowTWVGIwDQYJKoZIhvcNAQEL
...
-----END CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDNTCCAh2gAwIBAgIUZyLYZCVPKVqHf0hxrw5DYtNHewMwDQYJKoZIhvcNAQEL
...
-----END CERTIFICATE-----]
I get the following errors:
With Vault:
Vault failed to sign certificate: failed to parse certificate chain from vault: certificate chain is malformed or broken
With EJBCA:
failed to sign: certificate chain is malformed or broken
This was tested three different ways all resulting in the same error. CM connected to EJBCA, CM connect to Vault and using Vault's pki, and CM connected to Vault and using EJBCA.
The problem looks to be that in the ca_chain between END and BEGIN there is only a space and not a new line. This appears to be a standard format and a format CM should be able to parse.
/kind bug
The text was updated successfully, but these errors were encountered: