ClusterIssuer/Issuer failed for domain > 64 char. CSR doesn't contain a SAN short enough to fit in CN

1/29/2022

We are using jetstack/cert-manager to automate certificate management in a k8s environment.

Applying a Certificate with kubectl apply -f cert.yaml works just fine:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: test-cert
spec:
  secretName: test-secret
  issuerRef:
    name: letsencrypt
    kind: Issuer

  dnsNames:
    - development.my-domain.com
    - production.my-domain.com

However, it fails when installing a Helm template:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: {{.Values.cert}}
spec:
  secretName: {{.Values.secret}}
  issuerRef:
    name: letsencrypt
    kind: Issuer
  dnsNames: [{{.Values.dnsNames}}]
E0129 09:57:51.911270       1 sync.go:264] cert-manager/controller/orders "msg"="failed to create Order resource due to bad request, marking Order as failed" "error"="400 urn:ietf:params:acme:error:rejectedIdentifier: NewOrder request did not include a SAN short enough to fit in CN" "resource_kind"="Order" "resource_name"="test-cert-45hgz-605454840" "resource_namespace"="default" "resource_version"="v1"
-- Little baby
cert-manager
kubernetes
lets-encrypt
ssl

1 Answer

1/29/2022

Try to inspect you Certificate object wiht kubectl -n default describe certificate test-cert and post here if you don't find any issues with it.

your Certificate Object should be like the following:

Name:         test-cert
Namespace:    default
Labels:       <none>
Annotations:  <none>
API Version:  cert-manager.io/v1
Kind:         Certificate
Metadata:
  Creation Timestamp:  2022-01-28T12:25:40Z
  Generation:          4
  Managed Fields:
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .:
          f:kubectl.kubernetes.io/last-applied-configuration:
      f:spec:
        .:
        f:dnsNames:
        f:issuerRef:
          .:
          f:kind:
          f:name:
        f:secretName:
    Manager:      kubectl-client-side-apply
    Operation:    Update
    Time:         2022-01-28T12:25:40Z
    API Version:  cert-manager.io/v1
    Fields Type:  FieldsV1
    fieldsV1:
      f:status:
        .:
        f:conditions:
        f:lastFailureTime:
        f:notAfter:
        f:notBefore:
        f:renewalTime:
        f:revision:
    Manager:         controller
    Operation:       Update
    Subresource:     status
    Time:            2022-01-29T09:57:51Z
  Resource Version:  344677
  Self Link:         /apis/cert-manager.io/v1/namespaces/istio-ingress/certificates/test-cert-2
  UID:               0015cc16-06c3-4e33-bb99-0f336cf7b788
Spec:
  Dns Names:
    development.my-domain.com
    production.my-domain.com
  Issuer Ref:
    Kind:       Issuer
    Name:       letsencrypt
  Secret Name:  test-secret

Pay closer attention to Spec.DnsNames values. Sometime Heml's template engine renders it as string instead of array object due to missconfigurating.

Also, it's a good proctice to inspect Helm charts with helm template mychart before installing.

-- Vasyl Herman
Source: StackOverflow