djkormo
commented
7 months ago Add your values file to recreate issue
Try to add to your file
crd:
install: trueI'll try to make this documentation more clear.
Closed mhegreberg closed 6 months ago
djkormo
commented
7 months ago Add your values file to recreate issue
Try to add to your file
crd:
install: trueI'll try to make this documentation more clear.
mhegreberg
commented
7 months ago I ran this on a new cluster, right after installing cert manager.
I copied your samples values, and verified the the crd install was set to true. I still get this error
% helm install adcs-issuer djkormo-adcs-issuer/adcs-issuer --version 2.0.10 \
--namespace cert-manager --values values.yaml --dry-run
Error: INSTALLATION FAILED: unable to build kubernetes objects from release manifest: resource mapping not found for name: "adcs-sim-adcsclusterissuer" namespace: "" from "": no matches for kind "ClusterAdcsIssuer" in version "adcs.certmanager.csf.nokia.com/v1"
ensure CRDs are installed firstI appreciate the help
djkormo
commented
6 months ago helm search repo adcs-issuerNAME CHART VERSION APP VERSION DESCRIPTION djkormo-adcs-issuer/adcs-issuer 2.0.10 2.0.10 ADCS issuser plugin for cert-manager
helm install adcs-issuer djkormo-adcs-issuer/adcs-issuer --version 2.0.10 --namespace cert-manager --values charts/adcs-issuer/values.yaml --dry-runError: INSTALLATION FAILED: unable to build kubernetes objects from release manifest: resource mapping not found for name: "adcs-sim-adcsclusterissuer" namespace: "" from "": no matches for kind "ClusterAdcsIssuer" in version "adcs.certmanager.csf.nokia.com/v1"
The error comes from simulator setup. Please disable simulator
helm install adcs-issuer djkormo-adcs-issuer/adcs-issuer --version 2.0.10 --namespace cert-manager --set simulator.enabled=false --values charts/adcs-issuer/values.yaml --dry-runthat worked! I was able to install the chart.
I was able send a test cert request, but it doesn't seem to be processing.
ts=2024-03-11T22:14:19.423400883Z level=info logger=controller.adcsrequest msg="Processing request" reconcilergroup=adcs.certmanager.csf.nokia.com reconcilerkind=AdcsRequest name=adcs-cert-test-1 namespace=web adcsrequest=web/adcs-cert-test-1
ts=2024-03-11T22:14:19.423464124Z level=error logger=controller.adcsrequest msg="Couldn't get issuer" reconcilergroup=adcs.certmanager.csf.nokia.com reconcilerkind=AdcsRequest name=adcs-cert-test-1 namespace=web adcsrequest=web/adcs-cert-test-1 issuer="{test-adcs AdcsIssuer adcs.certmanager.csf.nokia.com}" error="AdcsIssuer.adcs.certmanager.csf.nokia.com \"test-adcs\" not found" stacktrace="sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:227"
ts=2024-03-11T22:14:19.423527715Z level=error logger=controller.adcsrequest msg="Reconciler error" reconcilergroup=adcs.certmanager.csf.nokia.com reconcilerkind=AdcsRequest name=adcs-cert-test-1 namespace=web error="AdcsIssuer.adcs.certmanager.csf.nokia.com \"test-adcs\" not found" stacktrace="sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:227"I suspected that it was because I was requesting a cert for the web namespace, but all the cert-manager and adcs stuff is in the cert-manager namespace, so I made a new cert request in the cert-manager namespace, and instead got these errors:
ts=2024-03-11T22:28:26.463452743Z level=info logger=controller.certificaterequest msg="Creating new AdcsRequest" reconcilergroup=cert-manager.io reconcilerkind=CertificateRequest name=adcs-cert-test-cm-1 namespace=cert-manager certificaterequest=cert-manager/adcs-cert-test-cm-1
ts=2024-03-11T22:28:26.481496668Z level=info logger=controller.adcsrequest msg="Processing request" reconcilergroup=adcs.certmanager.csf.nokia.com reconcilerkind=AdcsRequest name=adcs-cert-test-cm-1 namespace=cert-manager adcsrequest=cert-manager/adcs-cert-test-cm-1
ts=2024-03-11T22:28:26.525386115Z level=info logger=controller.certificaterequest msg="AdcsRequest already exists" reconcilergroup=cert-manager.io reconcilerkind=CertificateRequest name=adcs-cert-test-cm-1 namespace=cert-manager certificaterequest=cert-manager/adcs-cert-test-cm-1
ts=2024-03-11T22:28:26.525405562Z level=info logger=controller.certificaterequest msg="No change in request" reconcilergroup=cert-manager.io reconcilerkind=CertificateRequest name=adcs-cert-test-cm-1 namespace=cert-manager certificaterequest=cert-manager/adcs-cert-test-cm-1
ts=2024-03-11T22:28:27.182635344Z level=info logger=RequestCertificate msg="Starting certificate request" template="redacted-template-name" url=https://redacted-issuing-server-fqdn/certfnsh.asp
ts=2024-03-11T22:28:27.490774085Z level=info logger=RequestCertificate msg=Body template="redacted-template" body=redacted
ts=2024-03-11T22:28:27.490880785Z level=error logger=RequestCertificate msg="Couldn't obtain new certificate ID" template="redacted-template" body="redacted-404-error" error="Unknown error occured" stacktrace="github.com/nokia/adcs-issuer/issuers.(*Issuer).Issue\n\t/workspace/issuers/issuer.go:57\ngithub.com/nokia/adcs-issuer/controllers.(*AdcsRequestReconciler).Reconcile\n\t/workspace/controllers/adcsrequest_controller.go:83\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:227"
ts=2024-03-11T22:28:27.490931697Z level=error logger=controller.adcsrequest msg="Failed request will be re-tried" reconcilergroup=adcs.certmanager.csf.nokia.com reconcilerkind=AdcsRequest name=adcs-cert-test-cm-1 namespace=cert-manager adcsrequest=cert-manager/adcs-cert-test-cm-1 retryinterval=3600 error="Unknown error occured" stacktrace="sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:227"i suspect that the url field in the AdcsIssuer is invalid. I've just pointed it to our issuing ADCS server. should this be something else?
I appreciate all the help!
jamallorock
commented
6 months ago Hi. Can you paste your vaules file and csr for the certificate?
mhegreberg
commented
6 months ago the values file I used was the default from the repo, unchanged.
here is the csr yaml:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
annotations:
name: adcs-cert-test-cm
namespace: cert-manager
spec:
commonName: test.redacted.fqdn
dnsNames:
- test.redacted.fqdn
issuerRef:
group: adcs.certmanager.csf.nokia.com
kind: AdcsIssuer
name: test-adcs
secretName: adcs-cert-test-cmTry to turn on debug mode
- name: ENABLE_DEBUG
value: "true" # <--- hereI did that and got the following logs:
ts=2024-03-12T17:33:52.564625053Z level=info logger=controller.certificaterequest msg="Creating new AdcsRequest" reconcilergroup=cert-manager.io reconcilerkind=CertificateRequest name=adcs-cert-test-cm-1 namespace=cert-manager certificaterequest=cert-manager/adcs-cert-test-cm-1
ts=2024-03-12T17:33:52.575324276Z level=info logger=controller.adcsrequest msg="Processing request" reconcilergroup=adcs.certmanager.csf.nokia.com reconcilerkind=AdcsRequest name=adcs-cert-test-cm-1 namespace=cert-manager adcsrequest=cert-manager/adcs-cert-test-cm-1
ts=2024-03-12T17:33:52.626528036Z level=info logger=controller.certificaterequest msg="AdcsRequest already exists" reconcilergroup=cert-manager.io reconcilerkind=CertificateRequest name=adcs-cert-test-cm-1 namespace=cert-manager certificaterequest=cert-manager/adcs-cert-test-cm-1
ts=2024-03-12T17:33:52.626545247Z level=info logger=controller.certificaterequest msg="No change in request" reconcilergroup=cert-manager.io reconcilerkind=CertificateRequest name=adcs-cert-test-cm-1 namespace=cert-manager certificaterequest=cert-manager/adcs-cert-test-cm-1
ts=2024-03-12T17:33:53.476094957Z level=info logger=newNtlm msg="NTLM verification start" username=redacted password=redacted url=https://issuingserver-fqdn
ts=2024-03-12T17:33:53.47614119Z level=info logger=newNtlm msg="NTLM verification Using NTLM"
ts=2024-03-12T17:33:53.47616339Z level=info logger=newNtlm msg="NTLM verification stop" username=redacted password=redacted url=https://issuingserver-fqdn
ts=2024-03-12T17:33:53.476195804Z level=info logger=RequestCertificate msg="Starting certificate request" template="redacted-template" url=https://issuingserver-fqdn/certfnsh.asp
ts=2024-03-12T17:33:53.476684529Z level=info logger=RequestCertificate msg="Sending request" template="redacted-template" request="{POST https://issuingserver-fqdn/certfnsh.asp HTTP/1.1 1 1 map[Authorization:[Basic redacted] Content-Type:[application/x-www-form-urlencoded] User-Agent:[Mozilla]] {CertAttrib=CertificateTemplate%3Aredacted-template&CertRequest=-----BEGIN+CERTIFICATE+REQUEST-----redacted-----END+CERTIFICATE+REQUEST-----%0A&CertificateTemplate=redacted-template&FriendlyType=Saved-Request+Certificate&Mode=newreq&SaveCert=yes&TargetStoreFlags=0} 0x7689c0 1265 [] false issuingserver-fqdn map[] map[] <nil> map[] <nil> <nil> <nil> 0xc00004a308}"
ts=2024-03-12T17:33:53.533512549Z level=info logger=RequestCertificate msg="Sending request" template="redacted-template" error=null
ts=2024-03-12T17:33:53.533593314Z level=info logger=RequestCertificate msg="Sending request" template="redacted-template" response="{404 Not Found 404 HTTP/1.1 1 1 map[Content-Length:[1245] Content-Type:[text/html] Date:[Tue, 12 Mar 2024 17:33:53 GMT] Server:[Microsoft-IIS/10.0] X-Powered-By:[ASP.NET]] 0xc0001314c0 1245 [] false false map[] 0xc0000da800 0xc0001980b0}"
ts=2024-03-12T17:33:53.533655969Z level=info logger=RequestCertificate msg="Sending request" template="redacted-template" response="{404 Not Found 404 HTTP/1.1 1 1 map[Content-Length:[1245] Content-Type:[text/html] Date:[Tue, 12 Mar 2024 17:33:53 GMT] Server:[Microsoft-IIS/10.0] X-Powered-By:[ASP.NET]] 0xc0001314c0 1245 [] false false map[] 0xc0000da800 0xc0001980b0}"
ts=2024-03-12T17:33:53.533719953Z level=info logger=RequestCertificate msg=Body template="redacted-template" body=redacted
ts=2024-03-12T17:33:53.533764382Z level=info logger=RequestCertificate msg=Body template="redacted-template" body="<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n<head>\r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\"/>\r\n<title>404 - File or directory not found.</title>\r\n<style type=\"text/css\">\r\n<!--\r\nbody{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}\r\nfieldset{padding:0 15px 10px 15px;} \r\nh1{font-size:2.4em;margin:0;color:#FFF;}\r\nh2{font-size:1.7em;margin:0;color:#CC0000;} \r\nh3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} \r\n#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:\"trebuchet MS\", Verdana, sans-serif;color:#FFF;\r\nbackground-color:#555555;}\r\n#content{margin:0 0 0 2%;position:relative;}\r\n.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}\r\n-->\r\n</style>\r\n</head>\r\n<body>\r\n<div id=\"header\"><h1>Server Error</h1></div>\r\n<div id=\"content\">\r\n <div class=\"content-container\"><fieldset>\r\n <h2>404 - File or directory not found.</h2>\r\n <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>\r\n </fieldset></div>\r\n</div>\r\n</body>\r\n</html>\r\n"
ts=2024-03-12T17:33:53.533865855Z level=error logger=RequestCertificate msg="Couldn't obtain new certificate ID" template="redacted-template" body="<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Strict//EN\" \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd\">\r\n<html xmlns=\"http://www.w3.org/1999/xhtml\">\r\n<head>\r\n<meta http-equiv=\"Content-Type\" content=\"text/html; charset=iso-8859-1\"/>\r\n<title>404 - File or directory not found.</title>\r\n<style type=\"text/css\">\r\n<!--\r\nbody{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}\r\nfieldset{padding:0 15px 10px 15px;} \r\nh1{font-size:2.4em;margin:0;color:#FFF;}\r\nh2{font-size:1.7em;margin:0;color:#CC0000;} \r\nh3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} \r\n#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:\"trebuchet MS\", Verdana, sans-serif;color:#FFF;\r\nbackground-color:#555555;}\r\n#content{margin:0 0 0 2%;position:relative;}\r\n.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}\r\n-->\r\n</style>\r\n</head>\r\n<body>\r\n<div id=\"header\"><h1>Server Error</h1></div>\r\n<div id=\"content\">\r\n <div class=\"content-container\"><fieldset>\r\n <h2>404 - File or directory not found.</h2>\r\n <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>\r\n </fieldset></div>\r\n</div>\r\n</body>\r\n</html>\r\n" error="Unknown error occured" stacktrace="github.com/nokia/adcs-issuer/issuers.(*Issuer).Issue\n\t/workspace/issuers/issuer.go:57\ngithub.com/nokia/adcs-issuer/controllers.(*AdcsRequestReconciler).Reconcile\n\t/workspace/controllers/adcsrequest_controller.go:83\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:227"
ts=2024-03-12T17:33:53.533980412Z level=error logger=controller.adcsrequest msg="Failed request will be re-tried" reconcilergroup=adcs.certmanager.csf.nokia.com reconcilerkind=AdcsRequest name=adcs-cert-test-cm-1 namespace=cert-manager adcsrequest=cert-manager/adcs-cert-test-cm-1 retryinterval=3600 error="Unknown error occured" stacktrace="sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:114\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:311\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.11.0/pkg/internal/controller/controller.go:227"I suspect that merely pointing to the issuing adcs server's fqdn is not correct here. is there a specific endpoint I should be hitting? is there a feature that this issuer relies on in the adcs server I need to enable?
djkormo
commented
6 months ago Try to talk with adcs administrator. Try to use webbrowser to open https://issuingserver-fqdn/certcarc.asp
Here you have more details about endpoints from adcs
https://github.com/djkormo/adcs-issuer/blob/master/adcs/ntlm_certsrv.go
certnew_cer = "certnew.cer"
certnew_p7b = "certnew.p7b"
certcarc = "certcarc.asp"
certfnsh = "certfnsh.asp"Begin with getting ca cert from it
https://github.com/djkormo/adcs-issuer/blob/master/adcs/ntlm_certsrv.go#L320
mhegreberg
commented
6 months ago I think you're right. It seems to be an issue with how adcs web services is setup at this point, not this issuer.
This has been very helpful! thank you. I'll go ahead and close this. When I get the adcs side taken care of, I'm happy to submit a PR with documentation on how to get that side configured, if that is desired.
Hello, I'm trying to test this issuer in my environment, and am having a really hard time trying to understand how to apply the CRDs to my environment.
trying to install the helm chart tells me that I need the CRDs installed.
I tried to
makethe repository like the docs said, and see if that generated the CRDs , but I get the following error:I feel like I'm missing something here in order to user this issuer.