Invalid order when cert-manager is used with TLS enabled
diogokiss opened this issue · comments
Diogo Kiss commented
Version
CockroachDB Helm chart: 7.0.1 (https://charts.cockroachdb.com/)
(I strongly suspect that the same issue hits the latest version too)
CockroachDB Helm chart configuration
cockroachdb:
tls:
enabled: true
certs:
selfSigner:
enabled: false
certManager: true
useCertManagerV1CRDs: true
tlsSecret: true
certManagerIssuer:
kind: ClusterIssuer
ClusterIssuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: redacted@domain.com
privateKeySecretRef:
name: letsencrypt-key-prod
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- dns01:
cloudDNS:
project: <my-gcp-project>
Error
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning InvalidOrder 13m cert-manager-certificaterequests-issuer-acme The CSR PEM requests a commonName that is not present in the list of dnsNames or ipAddresses. If a commonName is set, ACME requires that the value is also present in the list of dnsNames or ipAddresses: "root" does not exist in [] or []
Normal cert-manager.io 13m cert-manager-certificaterequests-approver Certificate request has been approved by cert-manager.io
Related to
cert-manager/cert-manager#2370 (comment)
Potential solutions
- Add the
commonName
to thednsNames
list - Make the
commonName
customizable in the Helm chart (I'm not sure whether this would mess with any validation in the application itself though) - Both alternatives above
This issue similarly affects the order generated for the node
certificate too:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Warning InvalidOrder 2m13s cert-manager-certificaterequests-issuer-acme The CSR PEM requests a commonName that is not present in the list of dnsNames or ipAddresses. If a commonName is set, ACME requires that the value is also present in the list of dnsNames or ipAddresses: "node" does not exist in [localhost 127.0.0.1 <cockroachdb.fullname>-public <cockroachdb.fullname>-public.<.Release.Namespace> <cockroachdb.fullname>-public.<.Release.Namespace>.svc.cluster.local *.<cockroachdb.fullname> *.<cockroachdb.fullname>.<.Release.Namespace> *.<cockroachdb.fullname>.<.Release.Namespace>.svc.cluster.local] or []