Loading...

XML

Word

Printable

Type: Bug
Resolution: Not a Bug
Priority: Normal
Fix Version/s: None
Affects Version/s: 4.13.0, 4.12.z
Component/s: cert-manager
Labels:
- cfeplan

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Important
Regression:
No

Target Backport Versions:
None
Target Version:
None
Release Blocker:
Rejected
Sprint:
CFE Sprint 234
sprint_count:
1

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
None
Release Note Type:
None
Release Note Text:
None

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

In cert-manager, when a certificate resource specifies subject fields like countries, organizations et al, these fields do not work.

Compared with openssl tool, openssl tool works. See below "Additional info" section.

Version-Release number of selected component (if applicable):

RH cert-manager operator of bundle version v1.10.2-21

How reproducible:

Always

Steps to Reproduce:

1. Create an issuer:
$ cat issuer-acme-http01.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-http01
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-http01-account-key
    solvers:
    - http01:
        ingress:
          class: openshift-default

$ oc create -f issuer-acme-http01.yaml

2. Create certificate which specifies subject fields:
$ cat cert-test-http01.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cert-test-http01
spec:
  secretName: cert-test-http01
  subject:
    countries:
    - US
    localities:
    - Lehi
    organizations:
    - redhat
    organizationalUnits:
    - IT
    provinces:
    - Utah
  usages:
    - server auth
  dnsNames:
    - http01-test.apps.preserveupg.qe.devcluster.openshift.com
  issuerRef:
    name: letsencrypt-http01

$ oc create -f cert-test-http01.yaml

3. Check the certificate
$ oc get cert
NAME               READY   SECRET             AGE
cert-test-http01   True    cert-test-http01   78s

$ oc get cert cert-test-http01 -o yaml
...
spec:
  dnsNames:
  - http01-test.apps.preserveupg.qe.devcluster.openshift.com
  issuerRef:
    name: letsencrypt-http01
  secretName: cert-test-http01
  subject:
    countries:
    - US
    localities:
    - Lehi
    organizationalUnits:
    - IT
    organizations:
    - redhat
    provinces:
    - Utah
  usages:
  - server auth
...

$ oc extract secret/cert-test-http01
tls.crt
tls.key

The certificate subject does not have above subject fields, although these fields are indeed in the certificate YAML.
$ openssl x509 -noout -text -in tls.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            fa:53:28:26:8c:77:66:31:76:9a:26:a3:54:9b:25:95:15:9c
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = (STAGING) Let's Encrypt, CN = (STAGING) Artificial Apricot R3
        Validity
            Not Before: Mar 24 07:27:31 2023 GMT
            Not After : Jun 22 07:27:30 2023 GMT
        Subject: CN = http01-test.apps.preserveupg.qe.devcluster.openshift.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a9:27:ba:15:d3:8b:10:69:30:fb:a4:21:7c:5c:
                    b0:a5:bc:3b:bb:4d:e6:1a:c4:b3:9f:fb:bc:f4:5b:
                    d9:f4:9e:77:aa:5b:58:e0:a6:e0:eb:7d:01:27:59:
                    81:eb:e7:81:1f:14:c8:4c:ad:77:69:b1:e0:54:a4:
                    cb:fd:4e:cb:19:1f:35:0d:8a:12:1e:b4:66:2e:48:
                    3f:06:ff:66:1a:c4:53:96:27:d9:19:04:f0:8d:e8:
                    7b:28:eb:77:47:3b:d0:3a:96:96:ee:e6:21:12:39:
                    91:cf:8b:2a:dd:54:04:6d:d4:66:cf:4b:e2:a2:04:
                    27:51:8d:2f:07:48:0c:99:ca:eb:0b:61:6c:75:7d:
                    b5:36:ab:b9:67:22:66:ca:d6:75:e6:8f:17:f0:1b:
                    33:4c:af:af:02:fe:7d:b9:ac:e3:ff:ed:c5:13:84:
                    8e:2e:32:19:3c:ef:15:4f:89:fa:b9:b5:92:25:92:
                    31:7b:28:e8:d4:8e:8d:63:dc:19:a8:c1:90:69:aa:
                    ce:97:3f:0e:8e:5e:8c:cb:82:25:ef:43:cf:94:cf:
                    c4:36:60:b0:e8:62:09:51:17:ea:7f:d1:1a:c5:7f:
                    5b:ab:85:ff:c3:a8:12:d2:9b:13:f9:81:85:52:36:
                    90:89:42:03:da:3a:0e:4a:17:6d:44:fb:28:df:99:
                    3a:4b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                3A:4B:96:B5:63:64:C5:7C:72:3D:D1:78:E4:07:EC:E8:FB:91:22:0C
            X509v3 Authority Key Identifier: 
                keyid:DE:72:7A:48:DF:31:C3:A6:50:DF:9F:85:23:DF:57:37:4B:5D:2E:65            Authority Information Access: 
                OCSP - URI:http://stg-r3.o.lencr.org
                CA Issuers - URI:http://stg-r3.i.lencr.org/            X509v3 Subject Alternative Name: 
                DNS:http01-test.apps.preserveupg.qe.devcluster.openshift.com
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : DD:99:34:FC:A5:E7:24:80:C9:56:68:7D:81:34:99:08:
                                49:B2:49:F7:B5:69:D8:C7:BC:AB:3F:5C:C1:F3:6E:64
                    Timestamp : Mar 24 08:27:31.751 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:82:3E:73:04:74:09:3B:E4:C8:6D:19:
                                5D:4A:24:90:B2:E4:54:F8:76:A2:E2:54:46:3E:61:23:
                                84:90:FA:87:41:02:21:00:A7:8D:00:3F:3F:27:54:30:
                                D1:1E:97:17:AF:A8:8B:71:8D:3B:E9:3D:1E:1A:57:09:
                                0A:55:A0:0C:F8:E4:E8:8E
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : B0:CC:83:E5:A5:F9:7D:6B:AF:7C:09:CC:28:49:04:87:
                                2A:C7:E8:8B:13:2C:63:50:B7:C6:FD:26:E1:6C:6C:77
                    Timestamp : Mar 24 08:27:31.752 2023 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:8F:D9:69:E2:AD:89:BF:BF:36:F8:E4:
                                20:5C:83:47:4D:84:66:35:17:57:6F:24:45:E2:34:C4:
                                3A:1C:B4:A1:65:02:20:39:26:4F:A2:01:C9:28:93:F5:
                                9B:80:92:EF:22:BF:90:80:EC:81:2C:60:E0:33:0B:1B:
                                2C:8F:DB:F4:27:62:4A
    Signature Algorithm: sha256WithRSAEncryption
         78:8a:06:17:8d:ba:03:2e:2c:52:61:30:d7:1e:f0:70:d8:4c:
         e2:15:b6:31:b3:b2:46:91:23:e4:2c:e6:23:42:9a:c1:2b:a7:
         08:0f:4a:ac:ef:32:2e:12:bb:46:e5:bd:70:1b:c6:fb:3a:0c:
         a7:5c:d4:fc:fc:aa:cc:80:65:d2:b5:ca:c1:1e:40:d4:ca:81:
         b8:28:32:d0:d0:c7:91:d6:7a:9f:fb:84:f9:1d:8b:f5:60:0d:
         f8:1a:67:1a:e2:99:07:2c:56:9f:ea:df:38:56:03:5d:1f:9d:
         18:cc:2b:ab:55:f5:d9:55:c8:ac:01:cb:f6:13:48:a7:1d:bb:
         56:97:45:92:e6:5a:1a:d0:2e:be:5a:c7:d7:ec:31:fe:56:16:
         4b:c9:b4:57:f0:3f:90:df:02:45:6a:d6:53:29:3b:de:ae:0e:
         09:80:6c:77:a6:60:46:a2:06:38:23:9b:a6:5d:29:bc:cc:8d:
         00:19:c9:ec:69:5c:cd:c5:93:42:45:ad:00:46:46:47:3b:57:
         75:58:f8:7b:81:15:6c:b4:b9:c1:c0:a8:c7:37:04:73:31:f3:
         9c:90:45:64:7b:04:a5:b7:d8:22:08:ec:1c:84:37:bd:89:da:
         bb:98:18:8d:5a:44:23:1f:10:90:90:08:7d:d5:0c:d1:f4:64:
         c7:29:6c:eb

Actual results:

As above, in cert-manager, the issued certificate's subject does not have the subject fields specified when the certificate is created, although these fields are indeed in the certificate YAML.

Expected results:

In cert-manager, the issued certificate's subject does not have the subject fields specified when the certificate is created.

Additional info:

Below are proof that openssl tool works:
$ cat server.conf
[req] req_extensions = v3_req distinguished_name = req_distinguished_name [req_distinguished_name] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth, serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = http01-test.apps.preserveupg.qe.devcluster.openshift.com

$ CN_BASE=xxia-test

$ openssl genrsa -out caKey.pem 2048

$ openssl req  -sha256 -x509 -new -nodes -key caKey.pem -days 100000 -out caCert.pem -subj "/CN=${CN_BASE}_ca"

$ openssl genrsa -out serverKey.pem 2048

With openssl, specify /C, /ST, /L, /O, /OU:
$ openssl req -sha256 -new -key serverKey.pem -out server.csr -subj "/C=US/ST=Utah/L=Lehi/O=redhat/OU=IT/CN=${CN_BASE}_server" -config server.conf

Generate the certificate serverCert.pem:
$ openssl x509 -sha256 -req -in server.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out serverCert.pem -days 100000 -extensions v3_req -extfile server.conf

Check the certificate, these subject fields take effect:
$ openssl x509 -noout -text -in serverCert.pem
...
        Subject: C = US, ST = Utah, L = Lehi, O = redhat, OU = IT, CN = xxia-test_server
...

Assignee:: Thejas N (Inactive)

Reporter:: Xingxing Xia

Need Info From:: None

Contributors:: None

QA Contact:: Xingxing Xia

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2023/03/24 9:07 AM

Updated:: 2025/07/27 11:40 AM

Resolved:: 2023/03/30 8:59 AM

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates