Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Trust Manager is reordering certificates injected by CA bundle #419

Open
sagarmujumale opened this issue Aug 16, 2024 · 7 comments
Open
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Comments

@sagarmujumale
Copy link

sagarmujumale commented Aug 16, 2024

Trust Manager is reordering certificates injected by CA bundle in config maps. Pods are unable to communicate with service running in different namespace and complaining "unable to find valid certification path to requested target".

As we are using intermediate certs, all certs must be in order(intermediate and the root CA), however trust manager is changing the sequence and adding root CA above the intermediate which is not the correct sequence. Which is breaking the chain and service communication failing as there is no chain.

@erikgb
Copy link
Contributor

erikgb commented Aug 17, 2024

@sagarmujumale, why do you need intermediate CAs in your trust bundle? It is usually much better/easier to add trust exclusively to self-signed/root CAs. We have an open issue with requiring only self-signed/root CAs in trust bundles by default: #4.

@sagarmujumale
Copy link
Author

sagarmujumale commented Aug 20, 2024

@erikgb We are using intermediate CA for highly important services. We dont want to use root CA in all of the environment to sign the certs. All these services are communicating with each other across all the environment. hence we need to use complete chain in bundle. The fetaure requiring only self-signed/root CAs in trust bundles by default: #4. which is good for some environment who are not using any signed certs for their services.

It will be better if we use "allowIntermediateCertificates" to keep existing feature along with default self signed certificate.

@inteon
Copy link
Member

inteon commented Aug 20, 2024

@sagarmujumale all certificates in a trust bundle are trusted normally. There should be no need to form a chain in your trust bundle. Normally, clients check each certificate starting from the leaf and stop when they find a match (in your case the first match will be the intermediate).

@SgtCoDFish
Copy link
Member

Hey @sagarmujumale from looking at this I'm not sure I'm understanding why the ordering would matter here. I think I need more context to determine if there's anything we need to change here.

Do you have some software which requires a specific ordering of certs in a trust bundle? I've never encountered that before and I'd find the behaviour very surprising to say the least!

@sagarmujumale
Copy link
Author

@SgtCoDFish We are distributing Service Root CA and Service Intermediate CA in bundle. All services are using service intermediate CA signed certificate. All K8's clusters has Intermediate service CA signed by root CA. Services are using this certificate to communicate with each other. Reordering certificate chain is causing cert trust issues. It need to have in certain order to form a chain.

@erikgb
Copy link
Contributor

erikgb commented Oct 12, 2024

@sagarmujumale I think your services should serve certificate chains instead of adding intermediate CAs to the trust bundle. But even if you insist on trusting the intermediate CAs explicitly by adding them to the trust bundle, the order shouldn't matter. I would take a closer look at the software checking your chains.

@cert-manager-bot
Copy link
Contributor

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale

@cert-manager-prow cert-manager-prow bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.
Projects
None yet
Development

No branches or pull requests

5 participants