We use this issuer and under normal circumstances everything works as expected.
Our Active Directory team has changed the template name without our knowledge and we have noticed that there are no more retries to issue the certificate. We have corrected the templateName in the ClusterAdcsIssuer, but still no retry. We need to delete the certificate and reapply it for the issuance to work again.
Status:
Id: 2814400
Reason: Denied by Policy Module 0x80094800, The request was for a certificate template that is not supported by the Active Directory Certificate Services policy: Webserver_3Years. The requested certificate template is not supported by this CA. 0x80094800 (-2146875392 CERTSRV_E_UNSUPPORTED_CERT_TYPE)
State: rejected
CertificateRequest
Status:
Conditions:
Last Transition Time: 2024-09-12T06:38:58Z
Message: Certificate request has been approved by cert-manager.io
Reason: cert-manager.io
Status: True
Type: Approved
Last Transition Time: 2024-09-12T06:38:58Z
Message: ADCS request rejected
Reason: Pending
Status: False
Type: Ready
Certificate
Status:
Conditions:
Last Transition Time: 2024-09-12T06:38:52Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: False
Type: Ready
Last Transition Time: 2024-09-12T06:38:52Z
Message: Issuing certificate as Secret does not exist
Observed Generation: 1
Reason: DoesNotExist
Status: True
Type: Issuing
Next Private Key Secret Name: ca-cert-test-84vdb
Also, the status.lastFailureTime field in the Certificate is not set, so the cert-manager does not retry the request. However, I suspect that adcs is doing the retries.
adcs-issuer version: 2.1.2
We use this issuer and under normal circumstances everything works as expected.
Our Active Directory team has changed the template name without our knowledge and we have noticed that there are no more retries to issue the certificate. We have corrected the templateName in the ClusterAdcsIssuer, but still no retry. We need to delete the certificate and reapply it for the issuance to work again.
AdcsRequest
CertificateRequest
Certificate
Also, the
status.lastFailureTime
field in theCertificate
is not set, so the cert-manager does not retry the request. However, I suspect that adcs is doing the retries.