Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cert manager raises "Certificate will be issued with an empty Issuer DN" warning #5257

Closed
fabriziopandini opened this issue Sep 16, 2021 · 2 comments · Fixed by #5387
Closed

Cert manager raises "Certificate will be issued with an empty Issuer DN" warning #5257

fabriziopandini opened this issue Sep 16, 2021 · 2 comments · Fixed by #5387
Assignees
@ykakarap
Labels
kind/bug Categorizes issue or PR as related to a bug. kind/release-blocking Issues or PRs that need to be closed before the next CAPI release
Milestone
v1.0

Comments

@fabriziopandini
Copy link
Member

While debugging 5248 with tilt I noticed following events generated by cert-manager

[K8s EVENT: CertificateRequest capi-kubeadm-bootstrap-serving-cert-ffg5p (ns: capi-kubeadm-bootstrap-system)] Certificate will be issued with an empty Issuer DN, which contravenes RFC 5280 and could break some strict clients
[K8s EVENT: CertificateRequest capd-serving-cert-wbgbj (ns: capd-system)] Certificate will be issued with an empty Issuer DN, which contravenes RFC 5280 and could break some strict clients
[K8s EVENT: CertificateRequest capi-serving-cert-mn8zx (ns: capi-system)] Certificate will be issued with an empty Issuer DN, which contravenes RFC 5280 and could break some strict clients
[K8s EVENT: CertificateRequest capi-kubeadm-control-plane-serving-cert-pvh4v (ns: capi-kubeadm-control-plane-system)] Certificate will be issued with an empty Issuer DN, which contravenes RFC 5280 and could break some strict clients

Digging a little bit those warning were added by cert-manager/cert-manager#3760, and the explanation of the underlying problem can be found in https://cert-manager.io/docs/configuration/selfsigned/#certificate-validity

According to the above doc, possible solution could be to add

  subject:
    organizations:
      - cluster-api

To our certificates

/kind bug
@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Sep 16, 2021
@ykakarap
Copy link
Contributor

/assign

@vincepri
Copy link
Member

/milestone v1.0
/kind release-blocking

@k8s-ci-robot k8s-ci-robot added this to the v1.0 milestone Sep 30, 2021
@k8s-ci-robot k8s-ci-robot added the kind/release-blocking Issues or PRs that need to be closed before the next CAPI release label Sep 30, 2021
@ykakarap ykakarap mentioned this issue Oct 5, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ykakarap ykakarap

Labels
kind/bug Categorizes issue or PR as related to a bug. kind/release-blocking Issues or PRs that need to be closed before the next CAPI release
Projects
None yet
Milestone
v1.0
Development

Successfully merging a pull request may close this issue.

🌱 add organizations to certificates ykakarap/cluster-api
4 participants
@vincepri @fabriziopandini @k8s-ci-robot @ykakarap