search

baarde / cert-manager-webhook-ovh

OVH Webhook for Cert Manager
Apache License 2.0
93 stars 64 forks source link

Certificate not valid #20

Closed Pseudow closed 2 years ago

Pseudow commented 2 years ago

Situation

I recently generated a certificate, the problem is that the certificate is not recognized as valid. Here is how I create my certificate:

Certificate definition

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: altarise-registry-cert # name of the certificate
  labels:
    app.kubernetes.io/name: altarise-registry-cert # name of the certificate
    app.kubernetes.io/tier: backend
    app.kubernetes.io/managed-by: Ops
spec:
  dnsNames:
  - registry.altarise.net # name of the domain you want to validate the certificate
  issuerRef:
    name: ovh-altarise # name of the issuer you created before
    kind: Issuer
  secretName: altarise-registry-cert

Certificate events

  Type    Reason     Age    From                                       Message
  ----    ------     ----   ----                                       -------
  Normal  Issuing    5m26s  cert-manager-certificates-trigger          Existing issued Secret is not up to date for spec: [spec.commonName spec.dnsNames]
  Normal  Reused     5m26s  cert-manager-certificates-key-manager      Reusing private key stored in existing Secret resource "altarise-registry-cert"
  Normal  Requested  5m26s  cert-manager-certificates-request-manager  Created new CertificateRequest resource "altarise-registry-cert-sv2lq"
  Normal  Issuing    5m22s  cert-manager-certificates-issuing          The certificate has been successfully issued

Check of certificate using OPENSSL

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = registry.altarise.net
verify return:1
---
Certificate chain
 0 s:CN = registry.altarise.net
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFMTCCBBmgAwIBAgISBJ3BRh0Jfr24UwVWjpCg6sdyMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA3MjAxMDQ5NTFaFw0yMjEwMTgxMDQ5NTBaMCAxHjAcBgNVBAMT
FXJlZ2lzdHJ5LmFsdGFyaXNlLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAOHvWI8I34iFHRwZszxVHg6+asfkL4iuXD5gbnL0Vl+CmEm2iuCYSid6
55RrrfISsx5nafZKX03hN2Gln+6NXdYgH+wKtKwfXvOW3k/TzLQfkXGTlCoLh6Xb
3ZYOeNgiZk93vi6TfdKmbCILPx7p4FTxk1csN4yCjzhTlxIfcdEReYqqFCH5GK5V
SbxyfeFRXBGFa18wwdtU0TQsRHRRn+qW1bTKjm58KVZf+tOwwhQ/f1evXG+4lzVp
CK3hkM7UM/f6rIkxfgCn94Iww+4GLUo0hdPs5DhbyG2s8krfuQJclWccWg9bJGCV
0eTNgxwqu39reItOLG17SpkZxJsifD0CAwEAAaOCAlEwggJNMA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIw
ADAdBgNVHQ4EFgQUOz9H+w0S6eRu4nsQkzTrHyeVdOYwHwYDVR0jBBgwFoAUFC6z
F7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVo
dHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxl
bmNyLm9yZy8wIAYDVR0RBBkwF4IVcmVnaXN0cnkuYWx0YXJpc2UubmV0MEwGA1Ud
IARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0
dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDx
AHYAQcjKsd8iRkoQxqE6CUKHXk4xixsD6+tLx2jwkGKWBvYAAAGCG3FhxAAABAMA
RzBFAiAxNE7qyewiFC+xCOjS/29USZ92bqsn/oO2JP9tfYcxuQIhAKvCOtclt8Ja
RNmaBnByzGrCKRcXbjgOLROIjwqK+wHNAHcAKXm+8J45OSHwVnOfY6V35b5XfZxg
Cvj5TV0mXCVdx4QAAAGCG3FhzQAABAMASDBGAiEAzQUwQkP1M+8idH4bGyMYQqEo
ML+8E35tlxBOJ21piQUCIQDtQDJ4orbiLTXBjx47xWQXnKWuSE4RS2fB9xQlPJ7w
IjANBgkqhkiG9w0BAQsFAAOCAQEAdFkwiNnxS1rxW2I61aQHPBNxd4KBpzTmEPNk
LoRS7txgIBdh5U2Ecf7hxmE/nqh0Y51pBd4Q8yuJ7g5kxU48DUSiFMUB72/uUXWm
MNaMyNjzP7WRitzE9swWmqpGelhIvhdqQMgC4o+YX90yj50GsqlG+O6KBxMKKAta
QutWEiaheP+gAlhzLIZOGBxjgIsHwRU2c1ZD/naRqBzM5SZZP0njiI/b4w/znnjB
kg8fOG1Feyb/TQ9c1TzRykVEVB12XNd1R5AXdLi3NdGw0VILPWOL7ltEK1xCd1aW
VZCbFrIWZVfkx+kfOuCU+uDLmfZMOaW+Co1LsTJQ14k1x6kQ/Q==
-----END CERTIFICATE-----
subject=CN = registry.altarise.net

issuer=C = US, O = Let's Encrypt, CN = R3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4702 bytes and written 406 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 5C618DA732531FCB130CE71BDE79E1ADB9C26FBB78A3058DAAE422EF271FF71A
    Session-ID-ctx: 
    Master-Key: D3643057C1283793B6CB842559758E7F838FBC7FA1DE7BA1DF949A5E1AB354AB1E403159965B2FC62C5E26DC0A3868E4
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 21 27 64 05 33 33 c9 c2-16 5f 42 64 cd 3b 46 09   !'d.33..._Bd.;F.
    0010 - e7 a5 09 8d 8c fe 92 f6-6e af f1 a7 0b cc 59 ce   ........n.....Y.
    0020 - cd df 1a 5a 8e 85 68 99-7f da 96 4d 06 c4 38 34   ...Z..h....M..84
    0030 - 5f 4b b3 29 88 b0 31 e1-18 8f 7a 57 5b d6 f7 2b   _K.)..1...zW[..+
    0040 - 49 92 01 92 b2 90 43 eb-c8 2b 33 bc 5b d5 a1 2f   I.....C..+3.[../
    0050 - ae d4 a8 44 26 9f f3 ce-ca 13 80 f9 0e 49 6b d5   ...D&........Ik.
    0060 - 08 4e e6 11 dc 5d 52 b4-92 f9 57 03 3a f3 43 14   .N...]R...W.:.C.
    0070 - 94 f3 41 c0 04 47 3e 46-52 a3 19 26 dc 57 0e bc   ..A..G>FR..&.W..
    0080 - 75 b4 66 92 35 cc 10 a0-90 f9 cb e8 f9 e9 d3 3a   u.f.5..........:
    0090 - 60 51 2b 61 22 92 07 40-5e 5b 44 9a c3 ae a0 45   `Q+a"..@^[D....E
    00a0 - be ff 16 dc 65 e3 26 0e-09 d4 24 ec 2e d5 40 ff   ....e.&...$...@.
    00b0 - aa 1d 6c 95 1d a2 6c 6e-bd 2b 38 fa 44 a9 c6 37   ..l...ln.+8.D..7
    00c0 - 78 39 c3 d8 17 1c f7 c1-3b b7 57 c2 25 94 42 4f   x9......;.W.%.BO

    Start Time: 1658317965
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

Curl output

curl https://192.168.10.200:443 --header "HOST: registry.altarise.net"

curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above