djkormo / adcs-issuer

BSD 3-Clause "New" or "Revised" License
22 stars 11 forks source link

No new attempt if the certificate is not issued #105

Open gerrieg opened 1 month ago

gerrieg commented 1 month ago

adcs-issuer version: 2.1.2

We use this issuer and under normal circumstances everything works as expected.

Our Active Directory team has changed the template name without our knowledge and we have noticed that there are no more retries to issue the certificate. We have corrected the templateName in the ClusterAdcsIssuer, but still no retry. We need to delete the certificate and reapply it for the issuance to work again.

apiVersion: adcs.certmanager.csf.nokia.com/v1
kind: ClusterAdcsIssuer
metadata:
  name: test-cluster-adcs-issuer
spec:
  caBundle: xxxxxxxxx
  credentialsRef:
    name: test-adcs-credentials
  statusCheckInterval: 5m
  retryInterval: 5m
  url: https://xxxxxxxxxx
  templateName: Webserver_1Years

AdcsRequest

  Status:
    Id:      2814400
    Reason:  Denied by Policy Module  0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: Webserver_3Years. The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)
    State:   rejected

CertificateRequest

 Status:
  Conditions:
    Last Transition Time: 2024-09-12T06:38:58Z
    Message:               Certificate request has been approved by cert-manager.io
    Reason:                cert-manager.io
    Status:                True
    Type:                  Approved
    Last Transition Time:  2024-09-12T06:38:58Z
    Message:               ADCS request rejected
    Reason:                Pending
    Status:                False
    Type:                  Ready

Certificate

Status:
  Conditions:
    Last Transition Time:        2024-09-12T06:38:52Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      False
    Type:                        Ready
    Last Transition Time:        2024-09-12T06:38:52Z
    Message:                     Issuing certificate as Secret does not exist
    Observed Generation:         1
    Reason:                      DoesNotExist
    Status:                      True
    Type:                        Issuing
  Next Private Key Secret Name:  ca-cert-test-84vdb

Also, the status.lastFailureTime field in the Certificate is not set, so the cert-manager does not retry the request. However, I suspect that adcs is doing the retries.

djkormo commented 1 month ago

Such scenario was never tested so far. I'll try to repeat it. I'm still looking for new coworkers.