kubernetes – Kubernetes Cert-Manager Failing with Malformed or Broken Certificate Chain

cert-managerkubernetes

I have setup cert-manager to sign the certificate with the private ca issuer. the private CA secret is setup correctly and before adding to the TLS secret i have verified the chain with OpenSSL verify command and they all verify to the root correctly. But when the same is done with cert-manager, the certificate is not signed and i get the error " Message: The certificate request has failed to complete and will be retried: Error signing certificate: certificate chain is malformed or broken"

Here is the yaml for the cert issuer

   apiVersion: cert-manager.io/v1
   kind: ClusterIssuer
   metadata:
    name: my-ca-issuer
    namespace: default
   spec:
   ca:
      secretName: my-tls-secret
   ---
   apiVersion: cert-manager.io/v1
   kind: Certificate
   metadata:
     name: cert-test
     namespace: default
   spec:
     secretName: my-tls-secret
   issuerRef:
     name: my-ca-issuer
     kind: ClusterIssuer
   commonName: cert-test.com
   renewBefore: 12h # Renew the certificate when it's 12 hours from expiration

my-tls-secret is in the cert-manager namespace

the ca issuer verifies correctly

  kubectl get clusterissuers -o wide
NAME                        READY   STATUS                AGE
my-ca-issuer            True    Signing CA verified   27h

the my-tls secret was created using this command

 kubectl create secret generic my-tls-secret --from-file=tls.crt=cert-chain.pem --from-file=tls.key=myca.key --from-file=ca.crt=ca-chain.pem -n cert-manager

Any clues on why the chain is malformed with cert-manager whereas openssl verify doesnt have any issue with the chain

openssl crl2pkcs7 -nocrl -certfile ca-chain.pem | openssl pkcs7 -print_certs -noout

subject=C = US, ST = TX, L = Austin, O = org, CN = app-TLS-Sub-CA
issuer=C = US, ST = TX, L = Austin, O = org, CN = Issuing-Sub-CA

subject=C = US, ST = TX, L = Austin, O = org, CN = Issuing-Sub-CA
issuer=C = US, ST = TX, L = Austin, O = org, CN = Root

subject=C = US, ST = TX, L = Austin, O = org, CN = Root
issuer=C = US, ST = TX, L = Austin, O = org, CN = Root

Best Answer

From your comments, the issue persists even after ensuring the correct order and concatenation of the certificates.

[ Kubernetes Cluster ]
         |
   [ cert-manager ]
         | \
         |  [ Increased Log Verbosity ]
         |
[ my-ca-issuer ClusterIssuer ]
         | \
         |  [ Check CA Permissions ]
         |
[ my-tls-secret (CA secret) ]
         | \
         |  [ Verify Certificate Chain Formatting ]
         |
[ cert-test Certificate ]
         |
   [ CertificateRequest Debugging ]

While OpenSSL is able to verify the chain, cert-manager in the Kubernetes context might interpret it differently. That could be due to how cert-manager handles certificate parsing.
Consider using a tool like kubectl describe on the Certificate and CertificateRequest resources to get more clues.

kubectl describe certificate cert-name -n default
kubectl describe certificaterequest -n default
kubectl describe clusterissuer my-ca-issuer

Sometimes, certificate files may contain hidden characters or formatting issues not easily visible. Make sure the PEM files do not contain any extraneous characters or incorrect line endings. You can use tools like cat -v or a text editor with hidden character visibility to inspect the files.

Make sure the CA represented by my-tls-secret has the necessary permissions to sign certificates. Some CAs might be restricted to only sign certain types or levels of certificates. That is particularly relevant since you have multiple levels in your CA hierarchy.

Increase the log verbosity of cert-manager to get more detailed information about what is happening during the signing process.

kubectl get deployments -n cert-manager
kubectl edit deployment <cert-manager-deployment-name> -n cert-manager

spec:
  containers:
  - args:
    - --v=4  # This sets log verbosity to level 4
    ...

Just in case, the depth of your certificate chain might be causing issues. While not common, some systems have limits on the chain depth they can process. If possible, test with a simpler chain (fewer levels) to see if the issue persists.

Related Solutions

Kubernetes – How to Use Wazuh with Cert-Manager

For Kibana, you can easily use Trusted CA Signed SSL Certificates, for example Let's Encrypt, by placing them in cert/kibana_http/

cp /etc/letsencrypt/live/<site-address>/privkey.pem certs/kibana_http/key.pem
cp /etc/letsencrypt/live/<site-address>/fullchain.pem certs/kibana_http/cert.pem

For internal communications between the different Wazuh components, self-signed certificates are a good option given that they all verify the CA through a local file. Self-signed certificates also avoid the need for FQDN which is required to get a certificate from a Trusted CA.

Kubernetes Nginx – Using Cert Manager and LetsEncrypt Without Wildcards in Domain Names

Thanks for the help, I was able to solve my problem:

Basically, I had to find a new approach because no wild card certificate can be issued with http01. (see here: https://cert-manager.io/docs/configuration/acme/) After a little research I came to the conclusion that it makes the most sense to use a dns01 solver. Documentation can be found here: https://cert-manager.io/docs/configuration/acme/dns01/

Since the configuration of the dns01 depends heavily on your DNS provider, I will not publish my solution here, but a useful configuration can easily be found with the documentation.

Best Answer

Related Solutions

Kubernetes – How to Use Wazuh with Cert-Manager

Kubernetes Nginx – Using Cert Manager and LetsEncrypt Without Wildcards in Domain Names

Related Topic