Cert-manager/ClusterIssuer local certificate authority

[L1miter]

Hello, I'm having trouble getting the new cert-manager ClusterIssuer to work. I only need it for local purposes, and since it doesn't have an option to use certificates from Truenas (which are deprecated and don't work for me anyway), I tried installing an ACME server on another machine. It seems to be working because when I run the following command: curl https://ca.anonhop.local:8443/acme/acme/directory
I get a response like this:

Code:

{
  "newNonce": "https://ca.anonhop.local:8443/acme/acme/new-nonce",
  "newAccount": "https://ca.anonhop.local:8443/acme/acme/new-account",
  "newOrder": "https://ca.anonhop.local:8443/acme/acme/new-order",
  "revokeCert": "https://ca.anonhop.local:8443/acme/acme/revoke-cert",
  "keyChange": "https://ca.anonhop.local:8443/acme/acme/key-change"
}

So, it seems that step-ca is working correctly. However, when I input this address into ClusterIssuer in cert-manager, I get the following error in the logs:

Code:

2023-10-29 22:35:37.828592+00:00 E1029 22:35:37.828560       1 controller.go:167] "cert-manager/clusterissuers: re-queuing item due to error processing" err="Get \"https://ca.anonhop.local:8443/acme/acme/directory\": tls: failed to verify certificate: x509: certificate signed by unknown authority" key="ca-local"
2023-10-29 22:40:37.830417+00:00 I1029 22:40:37.830322       1 setup.go:225] "cert-manager/clusterissuers: ACME server URL host and ACME private key registration host differ. Re-checking ACME account registration" resource_name="ca-local" resource_namespace="" resource_kind="ClusterIssuer" resource_version="v1" related_resource_name="ca-local-acme-clusterissuer-account-key" related_resource_namespace="ix-cert-manager" related_resource_kind="Secret"
2023-10-29 22:40:37.835875+00:00 E1029 22:40:37.835837       1 setup.go:265] "cert-manager/clusterissuers: failed to register an ACME account" err="Get \"https://ca.anonhop.local:8443/acme/acme/directory\": tls: failed to verify certificate: x509: certificate signed by unknown authority" resource_name="ca-local" resource_namespace="" resource_kind="ClusterIssuer" resource_version="v1" related_resource_name="ca-local-acme-clusterissuer-account-key" related_resource_namespace="ix-cert-manager" related_resource_kind="Secret"
2023-10-29 22:40:37.835890+00:00 E1029 22:40:37.835853       1 sync.go:62] "cert-manager/clusterissuers: error setting up issuer" err="Get \"https://ca.anonhop.local:8443/acme/acme/directory\": tls: failed to verify certificate: x509: certificate signed by unknown authority" resource_name="ca-local" resource_namespace="" resource_kind="ClusterIssuer" resource_version="v1"
2023-10-29 22:40:37.835917+00:00 E1029 22:40:37.835882       1 controller.go:167] "cert-manager/clusterissuers: re-queuing item due to error processing" err="Get \"https://ca.anonhop.local:8443/acme/acme/directory\": tls: failed to verify certificate: x509: certificate signed by unknown authority" key="ca-local"

From what I understand, this error occurs because cert-manager does not recognize the CA. I'm not sure how to add the CA so that it can recognize it or make it ignore CA errors. I would greatly appreciate some assistance or guidance on where to look for a solution.
I also have the Root CA form the ACME server added as trusted for Truenas scale.

---

Show : System

Running: TrueNAS Scale 22.12.4.2
CPU: Ryzen 9 7950X 8 cores
RAM: 24GB
Storage: 1x SSD 60GB, 2x HDD 4TB
Running as Proxmox VM

 

[danb35]

While I'm also interested in this, this forum isn't the support channel for any TrueCharts apps. Check their website instead (truecharts.org), and their Discord server.

 

[L1miter]

Well if I manage to figure this out Ill post the answer here too

 

[maainux]

Well if I manage to figure this out Ill post the answer here too

Did you manage to find a solution?I am trying this approach as well but cant even get the clusterissuer installed with stepca ACME config.Did you use ACME DNS challange? It will also help if you can share your current configuration

 

[danb35]

The error in the OP is (or appears to be) because the local CA's root certificate isn't trusted by your NAS (or, more precisely, by Cluster Issuer). And I think the way to fix that has something to do with the "Trusted CABundle" field, but I'm not sure how that should be completed. Here are my settings:

...and I've pasted the root cert into the "Trusted CABundle" field. But that gives this error:

If I clear out the Trusted CABundle, I'm able to update the app without an error. But it doesn't appear to actually issue the cert, which doesn't surprise me.

 

[L1miter]

Did you manage to find a solution?I am trying this approach as well but cant even get the clusterissuer installed with stepca ACME config.Did you use ACME DNS challange? It will also help if you can share your current configuration

I haven't been able to figure out this issue after my first post. I managed to get the deprecated certificates to work, but in the newer versions, I think it's removed now.

I don't use TrueNAS for this anymore. After I got myself a domain I've moved most of my self-hosted apps to a VM with Docker installed. That's also where I run a reverse proxy and manage certificates from Let's Encrypt using Nginx Proxy Manager. I'm also looking into making Traefik work for other reasons.

I was forced to move most of my self-hosted apps to a VM because TrueNAS crashed in such a way that it brought down my whole network. I don't know what happened. I had to reinstall TrueNAS after that, now I only use it for cloud storage primarly.