Getting full chain in certificate

[alen-z]

Hi,

do you think if it would make sense to offer a CRD flag to include full chain in auto-created certificate?

I noticed issues by serving created certificates to clients: curl: (60) SSL certificate problem: unable to get local issuer certificate. I guess because there is no full chain included.

Cheers!

Edit: If those are certificates used only to work behind CF proxies, then I probably missed the point. We are trying to use them for internal networking, not going over CF. Domains are, of course, managed in CF. Well, I think I've missed this: "You'll be able to use this certificate on servers proxied behind Cloudflare." — CF blog.

[terinjokes]

Yes, they're intended only for services proxied by Cloudflare. The feature request is still valid: the issuer doesn't set ca.pem in the secret. There's no API to fetch the current Origin CA certificate, and I'm hesitant to hard code it.

[alen-z]

Maybe no API, but there are 2 static endpoints that might serve as source of Origin CA.

I believe using a flag to include Origin CA would be nice. This is because Cloudflare can work without it and reliability of methods to get latest CA may vary.

Maybe few methods of getting Origin CA to think about:

• Use embedded: For air gap environments. You need to maintain the embedded values. Even though 2029 (expiration date) is far away, it might still be an issue for cluster operators and you to make sure proper CA is used all the time.
• Fetch latest: Use previously mentioned endpoints to fetch latest CA. Endpoints should be reliable. Does not work in air gap environments and in aggressive egress network policy setups. No maintenance from your side. Could fit majority of use cases.
• Use custom: Allow cloud operators to include latest CA manually (or automate process of getting CA on their side).

I think having all of this options would allow cloud operators to choose the one that properly suits their needs.

How would you implement, would one method auto fall back to another and how it should be configured in CRD, I'll leave up to you :) I can share few thoughts if discussion starts going in implementation details direction.

Appreciate the interest in topic. Not to mention how awesome it'd be if Cloudflare was similar to Let's Encrypt — having certificates issued and being recognized by majority of clients because of embedded CA.

[terinjokes]

After a discussion with the team that operates the Origin CA, I'm going to embed the CAs into the binary and begin including them in response to cert-manager's requests, so that they get added as ca.pem in secrets.