search

gardener-attic / issues-foo

0 stars 1 forks source link

test close ticket issue #199

Closed neo-liang-sap closed 1 year ago

neo-liang-sap commented 1 year ago

What happened?

We switched to Gardener-provided certificates for our Solace message brokers. Now, CPI tenants have a problem connecting to the brokers with JCSMP: "com.solacesystems.jcsmp.JCSMPTransportException: CertificateException - java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors"

The Gardener-managed certificate has the following chain:

        Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
        Validity
            Not Before: Jan 20 19:14:03 2021 GMT
            Not After : Sep 30 18:14:03 2024 GMT
        Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1

________

        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
        Validity
            Not Before: Sep  4 00:00:00 2020 GMT
            Not After : Sep 15 16:00:00 2025 GMT
        Subject: C = US, O = Let's Encrypt, CN = R3

________

        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Aug 16 14:00:52 2023 GMT
            Not After : Nov 14 14:00:51 2023 GMT
        Subject: CN = *.vmr.sandbox.psb-prod.coco18.org

A quick research on the error message revealed that it is problematic having a longer validity in the intermediate than in the root certificate. This is the case in the chain provided by the Gardener cert-manager.

This already triggered a Very High ticket and is now on escalation mode on the CPI side, so please assist as fast as possible.

What you expected to happen?

The previous certificate chain we used looked like this:

        Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
        Validity
            Not Before: Sep  4 00:00:00 2020 GMT
            Not After : Sep 15 16:00:00 2025 GMT
        Subject: C = US, O = Let's Encrypt, CN = R3

________

        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Jul 24 09:49:14 2023 GMT
            Not After : Oct 22 09:49:13 2023 GMT
        Subject: CN = *.vmr.eu12.ssb-live.live.messagebroker.net.sap

How would we reproduce it (concisely and precisely)?

Compare the output of the following commands: openssl s_client -showcerts -connect vmr-e0d37365-cda5-4552-b518-19d5b0f4e3fd.vmr.sandbox.psb-prod.coco18.org:943 (Gardener-managed cert)
openssl s_client -showcerts -connect vmr-bbda6d45-5eb5-40b9-88db-da6c3523738a.vmr.eu12.ssb-live.live.messagebroker.net.sap:943 (not Gardener-managed cert)

Anything else we need to know?

Environment: cluster psb-prod/sandbox

Help us categorise this issue for faster resolution:

/area certification networking /os garden-linux /platform aws

/priority critical

gardener-robot-dev commented 1 year ago

@neo-liang-sap Oops, the dashboard link that you have provided (domain garden.canary.k8s.ondemand.com) does not match this repository (domains staging.gardener.cloud.sap, garden.staging.k8s.ondemand.com). Please open the issue at the correct repository. You can invoke the cluster self-diagnosis yourself later with /diag on a separate line in a comment to this issue.

gardener-robot-dev commented 1 year ago

@neo-liang-sap Label area/certification does not exist.

gardener-robot-dev commented 1 year ago

@neo-liang-sap The issue was assigned to you under author-action. Please unassign yourself when you are done. Thank you.

gardener-robot-dev commented 1 year ago

@neo-liang-sap ⚠️ Issue has priority critical, but the highest possible permitted priority for this landscape is normal. Priority will be lowered.