Cert-manager fails to parse certificates with certain extension policies:

$ omc logs -n openshift-cert-manager cert-manager-5bc4bc88f9-8r9kj|less
<...>
2023-10-06T09:46:35.313929210Z I1006 09:46:35.313903       1 sync.go:60] cert-manager/issuers "msg"="Error initializing issuer: Get \"https://<issuer_endpoint>/pgwy/acme/servercert\": tls: failed to parse certificate from server: x509: invalid certificate policies" "resource_kind"="Issuer" "resource_name"="<redacted>" "resource_namespace"="<redacted>" "resource_version"="v1" 


This occurs when registering an account [1] and seems related to the way crypto/x509 parses certificate policies [2].

[1] https://github.com/cert-manager/cert-manager/blob/b53527eb787c508a2dc0a27853cd4eb4b138faf6/pkg/issuer/acme/setup.go#L258-L265
[2] https://github.com/golang/go/issues/60665

v1.7.1

100% with certain certificate policies

1. openssl parses the cert correctly:

$ cat <<EOF| openssl x509 -ext certificatePolicies -subject -noout
-----BEGIN CERTIFICATE-----
<cert>
-----END CERTIFICATE-----
EOF
X509v3 Certificate Policies: 
    <policy_output>
subject=C = <subj>, O = <org>, CN = <cn>

2. An example golang snippet fails to parse the same certificate:

$ cat list_cert_extensions.go 
package main
import (
        "crypto/x509"
        "encoding/pem"
        "fmt"
        "io"
        "os"
)func main() {
        certer, _ := io.ReadAll(os.Stdin)
        der, _ := pem.Decode([]byte(certer))
        cert, err := x509.ParseCertificate(der.Bytes)
        if err != nil {
                fmt.Print(err)
        } else {
                for _, e := range cert.Extensions {
                        fmt.Println(e.Id)
                }
        }
}

$ go run list_cert_extensions.go <<EOF
-----BEGIN CERTIFICATE-----
<same_cert_as_above>
-----END CERTIFICATE-----
EOF
x509: invalid certificate policies