Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid certificate chain when using Vault with Intermediate CA #155

Open
atoy3731 opened this issue May 10, 2022 · 4 comments
Open

Invalid certificate chain when using Vault with Intermediate CA #155

atoy3731 opened this issue May 10, 2022 · 4 comments

Comments

@atoy3731
Copy link

atoy3731 commented May 10, 2022
edited

Versions:

  • Istio: 1.13.2
  • Cert-Manager: 1.8.0
  • Istio CSR: 0.4.2 (chart), 0.4.0 (app)
  • Vault: 1.9.2

I'm using the following script to try to test using Vault for my Istio CA, but when using curl to between 2 istio-injected pods, I get CERTIFICATE_VERIFY_FAILED:

# Create root CA
vault secrets enable pki
vault secrets tune -max-lease-ttl=87600h pki
vault write -field=certificate pki/root/generate/internal \
     common_name="svc" \
     ttl=87600h > CA_cert.crt
vault write pki/config/urls \
     issuing_certificates="$VAULT_ADDR/v1/pki/ca" \
     crl_distribution_points="$VAULT_ADDR/v1/pki/crl"

# Generate intermediate Istio CA
vault secrets enable -path=pki_istio pki
vault secrets tune -max-lease-ttl=43800h pki_istio
vault write -format=json pki_istio/intermediate/generate/internal \
     common_name="svc Intermediate CA" \
     | jq -r '.data.csr' > pki_istio.csr
vault write -format=json pki/root/sign-intermediate csr=@pki_istio.csr \
     format=pem_bundle ttl="43800h" \
     | jq -r '.data.certificate' > istio.cert.pem
vault write pki_istio/intermediate/set-signed certificate=@istio.cert.pem

# Create role for signing
vault write pki_istio/roles/istio_role \
     allowed_domains=svc \
     allow_subdomains=true \
     allowed_uri_sans=spiffe://cluster.local/* \
     require_cn=false \
     max_ttl="8766h"

# Create approle for cert-manager
cat <<EOT >> istio_policy.hcl
path "pki_istio/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}
EOT

vault policy write istio_policy ./istio_policy.hcl
vault write auth/approle/role/istio_role \
    token_policies=istio_policy

When running this command to test:

kubectl exec -it -n sample $(k get pods -n sample -l app=sleep --no-headers | awk '{ print $1 }') -c istio-proxy -- openssl s_client -showcerts -connect helloworld.sample:5000

It appears the certificate chain is invalid and it can't get the local issuer certificate:

CONNECTED(00000003)
depth=1 CN = svc Intermediate CA
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0
verify return:1
---
Certificate chain
 0 s:
   i:CN = svc Intermediate CA
-----BEGIN CERTIFICATE-----
MIIDWjCCAkKgAwIBAgIURRQEu9Y9asllpUpgQlVj0Z2KtDgwDQYJKoZIhvcNAQEL
BQAwHjEcMBoGA1UEAxMTc3ZjIEludGVybWVkaWF0ZSBDQTAeFw0yMjA1MTAxNDAw
MDVaFw0yMjA1MTAxNTAwMzVaMAAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQCqcdf2HNgIdo6Jr6s7OpUG5pmN6TzGws4cbeE/eQMZ45SVpJUmaCsuo/fw
ygYsOzbK0iywJbqCI8syJ9i5y+nv8RHAH2O+ZJEh7dNzK2T2HJez7CNUrjEP9M83
0g9xz8aNzpPP4unzDCvoY2XjXg9FyelsnLykh4X4CoBU7NRrc9e9WPPAXBoMzz50
ED/WpOeADabAV3Fbm2u6pvfjk38MDP0ggs/2ugouw9SasTSgVTRuExcJTMuTHqBe
iAC5rappmBGJh89lFG1vhE07j4zJF4WOcfXAg7Fiy9jP8hNcXVnPseWe6m3FsreL
Su/AfQyHshw0YtNIxkq4Lr2A60ODAgMBAAGjga0wgaowDgYDVR0PAQH/BAQDAgOo
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUVUddNc6U
WYMtvFBa84bJKd3XFBIwHwYDVR0jBBgwFoAUxM/MbjS1oWu2YyLB7g3sWIRCRcUw
OQYDVR0RAQH/BC8wLYYrc3BpZmZlOi8vY2x1c3Rlci5sb2NhbC9ucy9zYW1wbGUv
c2EvZGVmYXVsdDANBgkqhkiG9w0BAQsFAAOCAQEAEfmnad74RUsKWcI6CfGPgZ+5
VPj3I7DYUKMk+7X0RWxJon8rcSUvt8m2d/MOTOxsJFIr10vZNFAN5aYr4Ac9+Al2
3sk2tBFYPkyBSgR+wEom3vxV0W+WLWh6lLboMptd8UfeW5TzLnkBhyJX49PoWB1L
q2ZOuzsFR1UQkWzzRNp19f7refuyWYW8X0Z34lqR2igqYQBF7m8GmwvZlNUkEFQY
gkqfUag8D1RV+QtB7nJhVKr9Gkhc4DN9YvChwvJ3dTyKwTrQnvRUAeMl2D63RvwM
suHTXXr0idO6qmFVbYnjZ3dVxzj5PsylDQ3oFE6YksaAeiVhiunbwYzBpUqZNw==
-----END CERTIFICATE-----
 1 s:CN = svc Intermediate CA
   i:CN = svc
-----BEGIN CERTIFICATE-----
MIIDkTCCAnmgAwIBAgIUFGlVdYEHZ16pCe2fvvTM4Vayfr0wDQYJKoZIhvcNAQEL
BQAwDjEMMAoGA1UEAxMDc3ZjMB4XDTIyMDUxMDEzNTcyN1oXDTI3MDUwOTEzNTc1
N1owHjEcMBoGA1UEAxMTc3ZjIEludGVybWVkaWF0ZSBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBANJPUf+s+CM45uOODQ8ljNm4IiMsaRGVeE/3n+wX
UlVpwmQ3gXKEAoPF4vvKFE3g1t7TgLG82Q5CL1toe1ic20ghezz/YYjLV0HsWDab
OJ94bAqkAgVAAS1zKhHwWHyX6MjaH4bf2h08tJHnp/qGgSkMrwGQVsMAcOmq3Dit
X0k+PuwvNfRLgUlsZ/uMv5YSPhr6TCGgzbSDCt0RMk7qL7V/xoWmBcR3WsszFK6U
hmlDsQnsH4hD6TcaWifi1dw/Ivd/T9dMx0YzpV4KzuqfS9xbahuDXPilpPvKXPCZ
y/zc1/AntUx8wfKs23f4P7cOnqihVayyNZjCLX/T3dkWmtUCAwEAAaOB1jCB0zAO
BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUxM/MbjS1
oWu2YyLB7g3sWIRCRcUwHwYDVR0jBBgwFoAUwUnwDwXH+p3gJWZyaHAc3xDv7Xgw
PAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzAChiBodHRwczovL3ZhdWx0LmF0b3ku
bG9sL3YxL3BraS9jYTAyBgNVHR8EKzApMCegJaAjhiFodHRwczovL3ZhdWx0LmF0
b3kubG9sL3YxL3BraS9jcmwwDQYJKoZIhvcNAQELBQADggEBAC+LHybomP7zkYZv
m3Mb2PawwZDInEu9l+dg+88oqgCWOTBKzlNmJP1FCMa1dm0rwuFD/h43xNzHeXmI
CIL+cRwkrIIC3Ccwsv8x9WHXUn0jIVF00l581klSke7hphoHycmDvmKGfk0ENa7f
z7hcc8yHoMzhrXA2gYUjsEFnCQsI4ypZXjOYsopvD4s1JRYyK1y7qUJpukjbAoXq
CgXB7V4AjOUh38WEkkanx1mPY1mHHJXKnaPniGImldYcsStBE/iLvZoOx78kTJuv
/7Z/QQdxwACan/lV+GjQnZSYsZOiHEd6jnzgxb9gx7fmngztoKfxKE2y6/FvdwhF
TAs7lMs=
-----END CERTIFICATE-----
 2 s:CN = svc Intermediate CA
   i:CN = svc
-----BEGIN CERTIFICATE-----
MIIDkTCCAnmgAwIBAgIUFGlVdYEHZ16pCe2fvvTM4Vayfr0wDQYJKoZIhvcNAQEL
BQAwDjEMMAoGA1UEAxMDc3ZjMB4XDTIyMDUxMDEzNTcyN1oXDTI3MDUwOTEzNTc1
N1owHjEcMBoGA1UEAxMTc3ZjIEludGVybWVkaWF0ZSBDQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBANJPUf+s+CM45uOODQ8ljNm4IiMsaRGVeE/3n+wX
UlVpwmQ3gXKEAoPF4vvKFE3g1t7TgLG82Q5CL1toe1ic20ghezz/YYjLV0HsWDab
OJ94bAqkAgVAAS1zKhHwWHyX6MjaH4bf2h08tJHnp/qGgSkMrwGQVsMAcOmq3Dit
X0k+PuwvNfRLgUlsZ/uMv5YSPhr6TCGgzbSDCt0RMk7qL7V/xoWmBcR3WsszFK6U
hmlDsQnsH4hD6TcaWifi1dw/Ivd/T9dMx0YzpV4KzuqfS9xbahuDXPilpPvKXPCZ
y/zc1/AntUx8wfKs23f4P7cOnqihVayyNZjCLX/T3dkWmtUCAwEAAaOB1jCB0zAO
BgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUxM/MbjS1
oWu2YyLB7g3sWIRCRcUwHwYDVR0jBBgwFoAUwUnwDwXH+p3gJWZyaHAc3xDv7Xgw
PAYIKwYBBQUHAQEEMDAuMCwGCCsGAQUFBzAChiBodHRwczovL3ZhdWx0LmF0b3ku
bG9sL3YxL3BraS9jYTAyBgNVHR8EKzApMCegJaAjhiFodHRwczovL3ZhdWx0LmF0
b3kubG9sL3YxL3BraS9jcmwwDQYJKoZIhvcNAQELBQADggEBAC+LHybomP7zkYZv
m3Mb2PawwZDInEu9l+dg+88oqgCWOTBKzlNmJP1FCMa1dm0rwuFD/h43xNzHeXmI
CIL+cRwkrIIC3Ccwsv8x9WHXUn0jIVF00l581klSke7hphoHycmDvmKGfk0ENa7f
z7hcc8yHoMzhrXA2gYUjsEFnCQsI4ypZXjOYsopvD4s1JRYyK1y7qUJpukjbAoXq
CgXB7V4AjOUh38WEkkanx1mPY1mHHJXKnaPniGImldYcsStBE/iLvZoOx78kTJuv
/7Z/QQdxwACan/lV+GjQnZSYsZOiHEd6jnzgxb9gx7fmngztoKfxKE2y6/FvdwhF
TAs7lMs=
-----END CERTIFICATE-----
---
Server certificate
subject=

issuer=CN = svc Intermediate CA

---
Acceptable client certificate CA names
CN = svc Intermediate CA
Requested Signature Algorithms: ECDSA+SHA256:RSA-PSS+SHA256:RSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA384:RSA+SHA384:RSA-PSS+SHA512:RSA+SHA512:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:RSA-PSS+SHA256:RSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA384:RSA+SHA384:RSA-PSS+SHA512:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3267 bytes and written 419 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 20 (unable to get local issuer certificate)
---
140215270085952:error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required:../ssl/record/rec_layer_s3.c:1543:SSL alert number 116

This only seems to be an issue when I'm using the intermediate CA from the above script. If I configure my issuer to use the root CA directly, things work as expected. For transparency, here's my issuer:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: vault-issuer
  namespace: istio-system
spec:
  vault:
    path: pki_istio/sign/istio_role
    server: https://vault.example.com
    auth:
      appRole:
        path: approle
        roleId: "REDACTED"
        secretRef:
          name: vault-approle
          key: secretId
@kekbur
Copy link

kekbur commented Aug 21, 2022

I'm encountering this issue too with the following versions:

  • Istio: 1.14.1
  • Cert-Manager: 1.9.1
  • Istio CSR: 0.5.0 (chart), 0.5.0 (app)
  • Vault: 1.11.2

@kekbur
Copy link

kekbur commented Aug 22, 2022

Update: I was able to fix the issue by combining the intermediate certificate and the root certificate and passing the resulting file to Istio CSR as rootCAFile.

cat intermediate1.cert.pem ca.pem > combined1.cert.pem
kubectl --context="${CTX_CLUSTER1}" create secret generic istio-root-ca --from-file=ca.pem=combined1.cert.pem -n cert-manager
helm --kube-context="${CTX_CLUSTER1}" install -n cert-manager cert-manager-istio-csr jetstack/cert-manager-istio-csr --set app.server.clusterID=cluster1 --set "app.tls.rootCAFile=/var/run/secrets/istio-csr/ca.pem" --set "volumeMounts[0].name=root-ca" --set "volumeMounts[0].mountPath=/var/run/secrets/istio-csr" --set "volumes[0].name=root-ca" --set "volumes[0].secret.secretName=istio-root-ca" --set app.certmanager.issuer.name=vault-istio-ca1-issuer

As shown in atoy3731's openssl s_client log dump, the intermediate certificate is printed twice, but both openssl and curl are happy.

kubectl --context "$CTX_CLUSTER1" exec -n default deployment/helloworld-v1 -c istio-proxy -- openssl s_client -showcerts -connect helloworld.default2:5000

depth=2 CN = istio-ca-vault
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=2 CN = istio-ca-vault
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:
   i:CN = Istio-ca Intermediate Authority1
-----BEGIN CERTIFICATE-----
MIICqDCCAk6gAwIBAgIURW20F37SbLBvzRrhzum7Z8ebSMYwCgYIKoZIzj0EAwIw
KzEpMCcGA1UEAxMgSXN0aW8tY2EgSW50ZXJtZWRpYXRlIEF1dGhvcml0eTEwHhcN
MjIwODIyMDgzOTQ2WhcNMjIwODIyMDk0MDE2WjAAMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAo+ZAC9px447bOe1vfNWXfVe5b7yHGNt9wxwW5DALsChI
SLPVEzoK5dFCNcmfDR46XECSoRDcDI/1zCiU9eaaHIQicJDloEMGaaC9k/kAnk8L
u0QhiUb8DDHe1flgJRR9kL5NWzla134et9fQQZm2QtEycZLcvM2dj86fPeY+JLdq
PwO9aSwN8OlABDK0gJ8EuU4jzZF9+/AmtwjmLxwzjQukneHEncswjm63hjYZsy19
53cHq+SilU13J5vEBESqO/zSWgVOUKH+MFrwiStEBYI1IMaHmJZ9S4j3LMoqN0gt
1Q3D9jFpV9urtyA9hTPbpX12cDOkqvPDTmhhCZq3RQIDAQABo4GvMIGsMA4GA1Ud
DwEB/wQEAwIDqDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwHQYDVR0O
BBYEFBaTgeEfi8HD1l9SlpS9SmLnua4yMB8GA1UdIwQYMBaAFGLjm7vV7B557z45
U04xzsDdgpjCMDsGA1UdEQEB/wQxMC+GLXNwaWZmZTovL2NsdXN0ZXIubG9jYWwv
bnMvZGVmYXVsdDIvc2EvZGVmYXVsdDAKBggqhkjOPQQDAgNIADBFAiBrsMZKtFt+
MDoKcRfzVmttlTl55Gy5xZLbY8Y+tXID6AIhAI6ZaGha+OznXFLUnM/JFtF8gfwU
tq0ZEki3JeTUkoK7
-----END CERTIFICATE-----
 1 s:CN = Istio-ca Intermediate Authority1
   i:CN = istio-ca-vault
-----BEGIN CERTIFICATE-----
MIICMjCCAdegAwIBAgIUHPHynnINxJRv3/I6JxX3hTiPW9QwCgYIKoZIzj0EAwIw
GTEXMBUGA1UEAxMOaXN0aW8tY2EtdmF1bHQwHhcNMjIwODIyMDc1NzQ2WhcNMzEw
ODIyMTE1ODE2WjArMSkwJwYDVQQDEyBJc3Rpby1jYSBJbnRlcm1lZGlhdGUgQXV0
aG9yaXR5MTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEXs6qEngAFGkkeYJZWK
/XTkL8D+76383/esjXBNEQbfeX8PN7tBgxlp6MhK7ksagL1cdKz/wUa6ug1F2qWi
9kSjgeowgecwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
BBYEFGLjm7vV7B557z45U04xzsDdgpjCMB8GA1UdIwQYMBaAFJP3GGEUgc7Wn1IV
B9jnCY+m8+JxMEYGCCsGAQUFBwEBBDowODA2BggrBgEFBQcwAoYqaHR0cDovL2hv
c3QuZG9ja2VyLmludGVybmFsOjgyMDAvdjEvcGtpL2NhMDwGA1UdHwQ1MDMwMaAv
oC2GK2h0dHA6Ly9ob3N0LmRvY2tlci5pbnRlcm5hbDo4MjAwL3YxL3BraS9jcmww
CgYIKoZIzj0EAwIDSQAwRgIhAPp6l68whp+xvLG+ChXxbe8AIHM1kL+7KsHFvRhV
aC7vAiEAiDgI/F85invKC1sK+t3YDbdtpFis/UkdUHyu99hhld0=
-----END CERTIFICATE-----
 2 s:CN = Istio-ca Intermediate Authority1
   i:CN = istio-ca-vault
-----BEGIN CERTIFICATE-----
MIICMjCCAdegAwIBAgIUHPHynnINxJRv3/I6JxX3hTiPW9QwCgYIKoZIzj0EAwIw
GTEXMBUGA1UEAxMOaXN0aW8tY2EtdmF1bHQwHhcNMjIwODIyMDc1NzQ2WhcNMzEw
ODIyMTE1ODE2WjArMSkwJwYDVQQDEyBJc3Rpby1jYSBJbnRlcm1lZGlhdGUgQXV0
aG9yaXR5MTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABEXs6qEngAFGkkeYJZWK
/XTkL8D+76383/esjXBNEQbfeX8PN7tBgxlp6MhK7ksagL1cdKz/wUa6ug1F2qWi
9kSjgeowgecwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
BBYEFGLjm7vV7B557z45U04xzsDdgpjCMB8GA1UdIwQYMBaAFJP3GGEUgc7Wn1IV
B9jnCY+m8+JxMEYGCCsGAQUFBwEBBDowODA2BggrBgEFBQcwAoYqaHR0cDovL2hv
c3QuZG9ja2VyLmludGVybmFsOjgyMDAvdjEvcGtpL2NhMDwGA1UdHwQ1MDMwMaAv
oC2GK2h0dHA6Ly9ob3N0LmRvY2tlci5pbnRlcm5hbDo4MjAwL3YxL3BraS9jcmww
CgYIKoZIzj0EAwIDSQAwRgIhAPp6l68whp+xvLG+ChXxbe8AIHM1kL+7KsHFvRhV
aC7vAiEAiDgI/F85invKC1sK+t3YDbdtpFis/UkdUHyu99hhld0=
-----END CERTIFICATE-----
 3 s:CN = istio-ca-vault
   i:CN = istio-ca-vault
-----BEGIN CERTIFICATE-----
MIIBsTCCAVigAwIBAgIUY4zBvLkdiYrPHBDU2mu0GMmAlIwwCgYIKoZIzj0EAwIw
GTEXMBUGA1UEAxMOaXN0aW8tY2EtdmF1bHQwHhcNMjIwODIyMDc1NzEzWhcNMzIw
ODE5MDc1NzQzWjAZMRcwFQYDVQQDEw5pc3Rpby1jYS12YXVsdDBZMBMGByqGSM49
AgEGCCqGSM49AwEHA0IABFAnmGzaIS2Mr8Y+Vr5kxRkfoESqxej8g3FpeWQsRygF
GVMSKEt5Ld1FlxyUzUKRhJLn2vN6LGlE6agZpIKV2a6jfjB8MA4GA1UdDwEB/wQE
AwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBST9xhhFIHO1p9SFQfY5wmP
pvPicTAfBgNVHSMEGDAWgBST9xhhFIHO1p9SFQfY5wmPpvPicTAZBgNVHREEEjAQ
gg5pc3Rpby1jYS12YXVsdDAKBggqhkjOPQQDAgNHADBEAiBbpW9ZVgmZdNLHrnTi
wbtMIqYZR3ODxe3VD1B7L33IsgIgd884tfmxMzD7//WVob57TY9Ga2N9S5CkZvXa
/FY+m8Q=
-----END CERTIFICATE-----
---
Server certificate
subject=

issuer=CN = Istio-ca Intermediate Authority1

---
Acceptable client certificate CA names
CN = istio-ca-vault
CN = Istio-ca Intermediate Authority1
Requested Signature Algorithms: ECDSA+SHA256:RSA-PSS+SHA256:RSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA384:RSA+SHA384:RSA-PSS+SHA512:RSA+SHA512:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:RSA-PSS+SHA256:RSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA384:RSA+SHA384:RSA-PSS+SHA512:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2871 bytes and written 421 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 19 (self signed certificate in certificate chain)
---
depth=1 CN = Istio-ca Intermediate Authority1
verify return:1
depth=0
verify return:1
139984205489472:error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required:../ssl/record/rec_layer_s3.c:1543:SSL alert number 116
command terminated with exit code 1

@volodymyr-mykhailyk
Copy link

While was trying to setup similar thing in our infrastructure stumbled upon an explanation for this issue:

While your solution works and follows all the security recommendations from the cert-manager to extract root CA - the proper answer might also be to change the vault configuration.

In other words, when you set the signed certificate to the intermediate PKI backend - you should also add the root certificate to the chain. When generating a signed intermediary - adjust what is included in intermediate.cert.pem file:

Instead of:

vault write -format=json pki/root/sign-intermediate csr=@pki_intermediate.csr \
        format=pem_bundle ttl="43800h" \
        | jq -r '.data.certificate' > intermediate.cert.pem

Use this:

vault write -format=json pki/root/sign-intermediate csr=@pki_intermediate.csr \
        format=pem_bundle ttl="43800h" \
        | jq -r '.data.certificate, .data.issuing_ca' > intermediate.cert.pem

@kuberkaul
Copy link

@kekbur why are you getting : Verify return code: 19 (self signed certificate in certificate chain) ? even when using Vault CA

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@volodymyr-mykhailyk @kuberkaul @atoy3731 @kekbur