I've just tried to use the reflector for the first time.

I have a Let's Encrypt certificate generated by the cert-manager in the namespace cert-manager and used the reflector to copy the secret to all other namespaces.

When I extract the certificate from the original secret by the cert-manager, the Subject field contains the requested CN=my.domain and the Subject Alternative Names contain the expected DNS:*.my.domain, DNS:my.domain

When I extract the same certificate copied by the reflector from another namespace, the Subject field contains the name of the host which uses the wildcard (e.g. CN=x.my.domain) and the Subject Alternative Name contains only DNS:x.my.domain

The result is that I get an SSL connection to the ingress which uses the certificate (e.g. x.my.domain), but Chrome says that the connection isn't secure.

When I changed the certificate manager to put the certificate directly in the default domain and used it without the reflector, chrome was happy with the connection and the served certificate contains the Alternative Names.

For now, I changed the certificate to be generated directly into the default namespace, where it is used as-is.

Could someone explain to me what I'm doing wrong?

Thanks.

Hi @amosshapira reflector does NOT change the content of the certificate in any way (it doesn't even know what that secret contains), it just copies the secret. The content should be identical (compare base64 encoded values). Seems like you might have either an issue with cert-manager (it generated a certificate, updated it and didn't apply the annotations so reflector missed it). If the content is different, have a look when the change occured and compare with the reflection timestamp on the destination secret.
Again, reflector has no logic to manipulate secrets.