L1miter
Cadet
- Joined
- Oct 29, 2023
- Messages
- 3
Hello, I'm having trouble getting the new cert-manager ClusterIssuer to work. I only need it for local purposes, and since it doesn't have an option to use certificates from Truenas (which are deprecated and don't work for me anyway), I tried installing an ACME server on another machine. It seems to be working because when I run the following command: curl https://ca.anonhop.local:8443/acme/acme/directory
I get a response like this:
So, it seems that step-ca is working correctly. However, when I input this address into ClusterIssuer in cert-manager, I get the following error in the logs:
From what I understand, this error occurs because cert-manager does not recognize the CA. I'm not sure how to add the CA so that it can recognize it or make it ignore CA errors. I would greatly appreciate some assistance or guidance on where to look for a solution.
I also have the Root CA form the ACME server added as trusted for Truenas scale.
I get a response like this:
Code:
{ "newNonce": "https://ca.anonhop.local:8443/acme/acme/new-nonce", "newAccount": "https://ca.anonhop.local:8443/acme/acme/new-account", "newOrder": "https://ca.anonhop.local:8443/acme/acme/new-order", "revokeCert": "https://ca.anonhop.local:8443/acme/acme/revoke-cert", "keyChange": "https://ca.anonhop.local:8443/acme/acme/key-change" }
So, it seems that step-ca is working correctly. However, when I input this address into ClusterIssuer in cert-manager, I get the following error in the logs:
Code:
2023-10-29 22:35:37.828592+00:00 E1029 22:35:37.828560 1 controller.go:167] "cert-manager/clusterissuers: re-queuing item due to error processing" err="Get \"https://ca.anonhop.local:8443/acme/acme/directory\": tls: failed to verify certificate: x509: certificate signed by unknown authority" key="ca-local" 2023-10-29 22:40:37.830417+00:00 I1029 22:40:37.830322 1 setup.go:225] "cert-manager/clusterissuers: ACME server URL host and ACME private key registration host differ. Re-checking ACME account registration" resource_name="ca-local" resource_namespace="" resource_kind="ClusterIssuer" resource_version="v1" related_resource_name="ca-local-acme-clusterissuer-account-key" related_resource_namespace="ix-cert-manager" related_resource_kind="Secret" 2023-10-29 22:40:37.835875+00:00 E1029 22:40:37.835837 1 setup.go:265] "cert-manager/clusterissuers: failed to register an ACME account" err="Get \"https://ca.anonhop.local:8443/acme/acme/directory\": tls: failed to verify certificate: x509: certificate signed by unknown authority" resource_name="ca-local" resource_namespace="" resource_kind="ClusterIssuer" resource_version="v1" related_resource_name="ca-local-acme-clusterissuer-account-key" related_resource_namespace="ix-cert-manager" related_resource_kind="Secret" 2023-10-29 22:40:37.835890+00:00 E1029 22:40:37.835853 1 sync.go:62] "cert-manager/clusterissuers: error setting up issuer" err="Get \"https://ca.anonhop.local:8443/acme/acme/directory\": tls: failed to verify certificate: x509: certificate signed by unknown authority" resource_name="ca-local" resource_namespace="" resource_kind="ClusterIssuer" resource_version="v1" 2023-10-29 22:40:37.835917+00:00 E1029 22:40:37.835882 1 controller.go:167] "cert-manager/clusterissuers: re-queuing item due to error processing" err="Get \"https://ca.anonhop.local:8443/acme/acme/directory\": tls: failed to verify certificate: x509: certificate signed by unknown authority" key="ca-local"
From what I understand, this error occurs because cert-manager does not recognize the CA. I'm not sure how to add the CA so that it can recognize it or make it ignore CA errors. I would greatly appreciate some assistance or guidance on where to look for a solution.
I also have the Root CA form the ACME server added as trusted for Truenas scale.
Running: TrueNAS Scale 22.12.4.2
CPU: Ryzen 9 7950X 8 cores
RAM: 24GB
Storage: 1x SSD 60GB, 2x HDD 4TB
Running as Proxmox VM
CPU: Ryzen 9 7950X 8 cores
RAM: 24GB
Storage: 1x SSD 60GB, 2x HDD 4TB
Running as Proxmox VM