Follow

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use
Follow
Facebook Twitter Instagram Youtube
Contact

ClusterIssuer/Issuer failed for domain > 64 char. CSR doesn't contain a SAN short enough to fit in CN

byMR
January 29, 2022

We are using jetstack/cert-manager to automate certificate management in a k8s environment.

Applying a Certificate with kubectl apply -f cert.yaml works just fine:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: test-cert
spec:
  secretName: test-secret
  issuerRef:
    name: letsencrypt
    kind: Issuer

  dnsNames:
    - development.my-domain.com
    - production.my-domain.com

However, it fails when installing a Helm template:

MEDevel.com: Open-source for Healthcare and Education

Collecting and validating open-source software for healthcare, education, enterprise, development, medical imaging, medical records, and digital pathology.

Visit Medevel 

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: {{.Values.cert}}
spec:
  secretName: {{.Values.secret}}
  issuerRef:
    name: letsencrypt
    kind: Issuer
  dnsNames: [{{.Values.dnsNames}}]

E0129 09:57:51.911270       1 sync.go:264] cert-manager/controller/orders "msg"="failed to create Order resource due to bad request, marking Order as failed" "error"="400 urn:ietf:params:acme:error:rejectedIdentifier: NewOrder request did not include a SAN short enough to fit in CN" "resource_kind"="Order" "resource_name"="test-cert-45hgz-605454840" "resource_namespace"="default" "resource_version"="v1"

>Solution :

Try to inspect you Certificate object wiht kubectl -n default describe certificate test-cert and post here if you don’t find any issues with it.

your Certificate Object should be like the following:

Name:         test-cert
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2022-01-28T12:25:40Z
  Generation:          4
  Managed Fields:
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
      f:spec:
        .:
        f:dnsNames:
        f:issuerRef:
          .:
          f:kind:
          f:name:
        f:secretName:
    Manager:      kubectl-client-side-apply
    Operation:    Update
    Time:         2022-01-28T12:25:40Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:conditions:
        f:lastFailureTime:
        f:notAfter:
        f:notBefore:
        f:renewalTime:
        f:revision:
    Manager:         controller
    Operation:       Update
    Subresource:     status
    Time:            2022-01-29T09:57:51Z
  Resource Version:  344677
  Self Link:         /apis/cert-manager.io/v1/namespaces/istio-ingress/certificates/test-cert-2
  UID:               0015cc16-06c3-4e33-bb99-0f336cf7b788
Spec:
  Dns Names:
    development.my-domain.com
    production.my-domain.com
  Issuer Ref:
    Kind:       Issuer
    Name:       letsencrypt
  Secret Name:  test-secret

Pay closer attention to Spec.DnsNames values. Sometime Heml’s template engine renders it as string instead of array object due to missconfigurating.

Also, it’s a good proctice to inspect Helm charts with
helm template mychart before installing.

byMR
Published
Add a comment

Leave a Reply

Keep Up to Date with the Most Important News

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use

Read more

Discover more from Dev solutions

Subscribe now to keep reading and get access to the full archive.

Continue reading