Skip to content

The certificate request has failed to complete and will be retried: Failed to decode returned certificate: error decoding certificate PEM block #4142

Description

@rumanzo

Hello! I try to get certificate from cert-manager for linkerd use and have problem.
I create vault issuer, and certificate. Certificate creates, but Certificate has False status
and I see many certificates in vault, for each iteration of create certificate with cert-manager.

$ kubectl get issuers.cert-manager.io -n linkerd
NAME                   READY   AGE
linkerd-trust-anchor   True    54m
$ kubectl get certificates.cert-manager.io -n linkerd
NAME                      READY   SECRET                    AGE
linkerd-identity-issuer   False   linkerd-identity-issuer   54m
$ kubectl describe certificate -n linkerd linkerd-identity-issuer
...
Status:
  Conditions:
    Last Transition Time:  2021-06-25T13:49:26Z
    Message:               Issuing certificate as Secret does not exist
    Observed Generation:   1
    Reason:                DoesNotExist
    Status:                False
    Type:                  Ready
    Last Transition Time:  2021-06-25T13:49:27Z
    Message:               The certificate request has failed to complete and will be retried: Failed to decode returned certificate: error decoding certificate PEM block
    Observed Generation:   1
    Reason:                Failed
    Status:                False
    Type:                  Issuing
  Last Failure Time:       2021-06-25T13:49:27Z
Events:
  Type     Reason     Age   From          Message
  ----     ------     ----  ----          -------
  Normal   Issuing    55m   cert-manager  Issuing certificate as Secret does not exist
  Normal   Generated  55m   cert-manager  Stored new private key in temporary Secret resource "linkerd-identity-issuer-rdsss"
  Normal   Requested  54m   cert-manager  Created new CertificateRequest resource "linkerd-identity-issuer-bvzfm"
  Warning  Failed     54m   cert-manager  The certificate request has failed to complete and will be retried: Failed to decode returned certificate: error decoding certificate PEM block
# Source: linkerd-issuers/templates/issuers.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: linkerd-trust-anchor
  namespace: linkerd
---
# Source: linkerd-issuers/templates/issuers.yaml
apiVersion: v1
kind: Secret
metadata:
  name: linkerd-trust-anchor-secret
  namespace: linkerd
  annotations:
    kubernetes.io/service-account.name: linkerd-trust-anchor
type: kubernetes.io/service-account-token
---
# Source: linkerd-issuers/templates/certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: linkerd-identity-issuer
  namespace: linkerd
spec:
  secretName: linkerd-identity-issuer
  duration: 48h
  renewBefore: 25h
  issuerRef:
    name: linkerd-trust-anchor
    kind: Issuer
  commonName: identity.linkerd.cluster.local
  dnsNames:
  - identity.linkerd.cluster.local
  isCA: true
  privateKey:
    algorithm: ECDSA
    size: 256
  usages:
  - cert sign
  - crl sign
  - server auth
  - client auth
---
# Source: linkerd-issuers/templates/issuers.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: linkerd-trust-anchor
  namespace: linkerd
spec:
  vault:
    path: linkerd/sign/linkerd-trust-anchor
    server: https://myvaultaddr/
    auth:
      kubernetes:
        role: linkerd-trust-anchor
        mountPath: /v1/auth/kubernetes-new
        secretRef:
          name: linkerd-trust-anchor-secret
          key: token

Expected behaviour:
I must see linkerd-identity-issuer secret in linkerd namespace and READY status of Certificate true

Steps to reproduce the bug:
I use this guides for setup vault issuer and this commands:
https://cert-manager.io/docs/configuration/vault/
https://linkerd.io/2.10/tasks/automatically-rotating-control-plane-tls-credentials/#
https://learn.hashicorp.com/tutorials/vault/kubernetes-cert-manager?in=vault/kubernetes#configure-pki-secrets-engine

$ vault secrets enable -path linkerd pki
$ vault secrets tune -max-lease-ttl=175200h linkerd
$ vault write linkerd/root/generate/internal common_name=identity.linkerd.cluster.local key_type=ec key_bits=256 ttl=175200h
$ vault write linkerd/config/urls issuing_certificates="https://myvaultaddr/v1/linkerd/ca" url_distribution_points="https://myvaultaddr/v1/linkerd/crl"
$ vault write linkerd/roles/linkerd-trust-anchor allowed_domains=cluster.local allow_subdomains=true max_ttl=48h key_type=ec key_bits=256
$ vault policy write linkerd-trust-anchor - <<EOF
path "linkerd*"                        { capabilities = ["read", "list"] }
path "linkerd/roles/linkerd-trust-anchor"   { capabilities = ["create", "update"] }
path "linkerd/sign/linkerd-trust-anchor"    { capabilities = ["create", "update"] }
path "linkerd/issue/linkerd-trust-anchor"   { capabilities = ["create"] }
EOF

$ vault write auth/kubernetes-new/role/linkerd-trust-anchor bound_service_account_names=linkerd-trust-anchor bound_service_account_namespaces=linkerd policies=linkerd-trust-anchor ttl=20m

Anything else we need to know?:

Environment details::

  • Kubernetes version: v1.21.0
  • cert-manager version: v1.4.0
  • Install method: helm

/kind bug

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/vaultIndicates a PR directly modifies the Vault Issuer codekind/bugCategorizes issue or PR as related to a bug.priority/important-soonMust be staffed and worked on either currently, or very soon, ideally in time for the next release.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions