search

cert-manager / cert-manager

Automatically provision and manage TLS certificates in Kubernetes
https://cert-manager.io
Apache License 2.0
11.85k stars 2.04k forks source link

DigiCert error setting up issuer #6112

Closed Woitekku closed 6 months ago

Woitekku commented 1 year ago

Describe the bug:

Unable to setup Issuer/ClusterIssuer when Cert-Manager is installed via HELM. On the very same cluster/setup it works like a charm if Cert-Manager is installed via Operator Hub.

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: digicert
spec:
  acme:
    email: acme@...
    externalAccountBinding:
      keyAlgorithm: HS256
      keyID: ...
      keySecretRef:
        key: EAB_HMAC_KEY
        name: digicert-eab-hmac
    preferredChain: ''
    privateKeySecretRef:
      name: digicert-key
    server: 'https://acme.digicert.com/v2/acme/directory/'
    solvers:
      - http01:
          ingress:
            class: nginx

The error it returns:

I0529 08:46:40.482163 1 setup.go:221] cert-manager/clusterissuers "msg"="ACME server URL host and ACME private key registration host differ. Re-checking ACME account registration" "related_resource_kind"="Secret" "related_resource_name"="digicert-key" "related_resource_namespace"="cert-manager" "resource_kind"="ClusterIssuer" "resource_name"="digicert" "resource_namespace"="" "resource_version"="v1"
E0529 08:46:40.753693 1 setup.go:261] cert-manager/clusterissuers "msg"="failed to register an ACME account" "error"="Get \"https://acme.digicert.com/./v2/acme/directory/\": x509: certificate signed by unknown authority" "related_resource_kind"="Secret" "related_resource_name"="digicert-key" "related_resource_namespace"="cert-manager" "resource_kind"="ClusterIssuer" "resource_name"="digicert" "resource_namespace"="" "resource_version"="v1"
E0529 08:46:40.753743 1 sync.go:62] cert-manager/clusterissuers "msg"="error setting up issuer" "error"="Get \"https://acme.digicert.com/./v2/acme/directory/\": x509: certificate signed by unknown authority" "resource_kind"="ClusterIssuer" "resource_name"="digicert" "resource_namespace"="" "resource_version"="v1"
E0529 08:46:40.753801 1 controller.go:167] cert-manager/clusterissuers "msg"="re-queuing item due to error processing" "error"="Get \"https://acme.digicert.com/./v2/acme/directory/\": x509: certificate signed by unknown authority" "key"="digicert"

Expected behaviour:

Register ACME account with ACME server and get Issuer ready to get certificates.

Steps to reproduce the bug:

Anything else we need to know?:

Environment details::

/kind bug

panterashu commented 1 year ago

Are there any updates regarding this bug?

Thank you!

tibers commented 1 year ago

It works for me using this exact setup (digicert + HTTP01)

Woitekku commented 1 year ago

@tibers how did you install cert-manager? via operators hub?

tibers commented 1 year ago

The helm chart.

inteon commented 11 months ago

Seems like your certificate trust store does not contain the public certs for digicert.com. Did you specify a caBundle value?

jetstack-bot commented 8 months ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close. Send feedback to jetstack. /lifecycle stale

jetstack-bot commented 7 months ago

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with /close. Send feedback to jetstack. /lifecycle rotten /remove-lifecycle stale

jetstack-bot commented 6 months ago

Rotten issues close after 30d of inactivity. Reopen the issue with /reopen. Mark the issue as fresh with /remove-lifecycle rotten. Send feedback to jetstack. /close

jetstack-bot commented 6 months ago

@jetstack-bot: Closing this issue.

In response to [this](https://github.com/cert-manager/cert-manager/issues/6112#issuecomment-1911070778): >Rotten issues close after 30d of inactivity. >Reopen the issue with `/reopen`. >Mark the issue as fresh with `/remove-lifecycle rotten`. >Send feedback to [jetstack](https://github.com/jetstack). >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.