-
Notifications
You must be signed in to change notification settings - Fork 23
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is the ignore of spec.tls.caCertificate on purpose ? #115
Comments
Hello, I can confirm this is an issue and that it also affects us on clusters running openshift-routes 0.7+ I believe that it may originate from an intent to make things rights with regards of what the
Notice the end of the description "Do not include a CA certificate". However, on openshift-routes prior to 0.7.0 the full certificate chain was inserted in the Would be nice to have either:
Thanks a lot ! |
just wanted to explicitely state that the scenario i was talking about is NOT filling the route.spec.tls.certificate with the whole chain but rather filling route.spec.tls.certificate with the one and only cert (this already is like it should be) but ADDITIONALLY filling the route.spec.tls.caCertificate with the (potentially) existing certs from the cert-manager manged secret |
I agree, that would be best. After a little digging in the code, it seems to me that the full certificate chain is retrieved from the secret (here) but then, only the first certificate is encoded in the In the utilpki lib I did not find any function that would allow us to easily strip the host certificate from the chain bundle in order to set the PS: my golang skills are mostly at the "beginner/reading" level so maybe I missed something or did not understand the code properly. |
My colleague and I found a solution, we will work on a PR to fix this. |
thx for your PR - but regarding code - i made two comments regarding the implementation |
Hey, thanks for raising this. What's the use case for this field ( As far as I can see, it's informational. If that's the case, it would probably be a similar case to https://cert-manager.io/docs/faq/#why-isnt-my-certificates-chain-in-my-issued-secrets-cacrt In other words, leaving If it's required for something we could consider adding it. |
Thanks for the reply @SgtCoDFish. The main issue for us is that the openshift-routes controller only sets the first certificate of the chain in the For us this is a breaking change because not all HTTP clients support Authority Information Access (AIA) that would allow for the retrieval of the missing intermediate certificates. In such an event, HTTPS requests would fail because of the missing certificates. Modern web browser do support AIA but tools like curl or some programming language libraries don't. I hope this helps clarify the issue at hand. |
I want to make sure I'm understanding! (I'm still jet lagged from KubeCon!) Let's say we have a chain with three certs, A cert-manager Secret would have
I tested locally and confirmed that we're setting I've raised #122 to address that. I think that should fix the issue without us having to set |
I hope you had a blast at Kubecon :) You understood correctly.
At first, I thought that was the reason for this change of behavior in 0.7.0. |
Despite the documentation saying not to include it in the certificate field, even OpenShift routes controller manager will copy both leaf and intermediate certs from secret/TLS.crt when using an ingress to generate a route and stick them in the certificate field. I wonder if there is a good reason for splitting them, and if so why they do not enforce that themselves. I suppose we'd have to check the OpenShift ingress code to see what it's doing with the caCertificate field. |
From this OpenShift issue opened in 2021, it seems like it's always been OK to put both the leaf followed by the intermediates in
Now, with regards to OpenShift's route controller manager that creates routes by shoving the contents of the Ingress's Secret's tl;dr: this project should put the leaf in the |
Hmm I don't think that is entirely correct. It is possible to configure an ingress to generate a reencrypt route using the Since there are separate fields to handle the backend certificate, such as |
Thanks all for the discussion!
Looking back, I'm not actually sure if there was a change of behavior? Are you sure it used to populate The code in v0.7.1 seems clearly to only parse one cert: https://github.com/cert-manager/openshift-routes/blob/v0.6.1/internal/controller/sync.go#L649 So it doesn't seem like v0.7.x broke anything? Am I missing something? I'm inclined to think that @maelvls 's approach is the way to go:
It seems odd to me that OpenShift would be designed to require that, but I can believe it at least. |
No I did not mean that In clusters running 0.6 we do have the whole chain contained in |
Thanks for pointing that out!
I am so confused now. I'm not sure why the OpenShift project wants the leaf in the I think we need someone from Red Hat to help us out 😅 @TrilokGeer Do you know who we can contact to get some clarity? Thanks! |
there's some conversation related to this in https://bugzilla.redhat.com/show_bug.cgi?id=2013238 if you feel like reading up while you figure out who to get in touch with at Redhat. |
Yeah that issue is what we were discussing above, @maelvls linked to it here. It sounds like from that discussion, although it works chaining them in Now I wonder about the new external certificate API, there is no callout of including intermediate cert in the If there is no downside to chaining and putting both in |
Is there a timeline for #122 to be merged/released? We are also being affected as many clients complain with the new 0.7 certificates, e.g Python
For the moment we have rolled back to the pre 0.7 version we had running. |
As far as i can see in the code the spec.tls.caCertificate on the route object is nowhere considered to be set
Looking forward to the answers
The text was updated successfully, but these errors were encountered: