Trust Manager is reordering certificates injected by CA bundle

[sagarmujumale]

Trust Manager is reordering certificates injected by CA bundle in config maps. Pods are unable to communicate with service running in different namespace and complaining "unable to find valid certification path to requested target".

As we are using intermediate certs, all certs must be in order(intermediate and the root CA), however trust manager is changing the sequence and adding root CA above the intermediate which is not the correct sequence. Which is breaking the chain and service communication failing as there is no chain.

[erikgb]

@sagarmujumale, why do you need intermediate CAs in your trust bundle? It is usually much better/easier to add trust exclusively to self-signed/root CAs. We have an open issue with requiring only self-signed/root CAs in trust bundles by default: https://github.com/cert-manager/trust-manager/issues/4.

[sagarmujumale]

@erikgb We are using intermediate CA for highly important services. We dont want to use root CA in all of the environment to sign the certs. All these services are communicating with each other across all the environment. hence we need to use complete chain in bundle. The fetaure requiring only self-signed/root CAs in trust bundles by default: https://github.com/cert-manager/trust-manager/issues/4. which is good for some environment who are not using any signed certs for their services.

It will be better if we use "allowIntermediateCertificates" to keep existing feature along with default self signed certificate.

[inteon]

@sagarmujumale all certificates in a trust bundle are trusted normally. There should be no need to form a chain in your trust bundle. Normally, clients check each certificate starting from the leaf and stop when they find a match (in your case the first match will be the intermediate).

[SgtCoDFish]

Hey @sagarmujumale from looking at this I'm not sure I'm understanding why the ordering would matter here. I think I need more context to determine if there's anything we need to change here.

Do you have some software which requires a specific ordering of certs in a trust bundle? I've never encountered that before and I'd find the behaviour very surprising to say the least!

[sagarmujumale]

@SgtCoDFish We are distributing Service Root CA and Service Intermediate CA in bundle. All services are using service intermediate CA signed certificate. All K8's clusters has Intermediate service CA signed by root CA. Services are using this certificate to communicate with each other. Reordering certificate chain is causing cert trust issues. It need to have in certain order to form a chain.