General description

We have set up private ACME authority to issue certificates signed with our internal root certificate. Root certificate is added to system keystore, so commands like curl https://our.internal.domain work correctly on k8s host machine & all workers.

However, we are not able to use that ACME server with cert-manager: it simply does not know about our root.

Events:
  Type     Reason                Age              From          Message
  ----     ------                ----             ----          -------
  Warning  ErrVerifyACMEAccount  4s (x2 over 4s)  cert-manager  Failed to verify ACME account: Get https://our.internal.ca/acme/directory: x509: certificate signed by unknown authority
  Warning  ErrInitIssuer         4s (x2 over 4s)  cert-manager  Error initializing issuer: Get https://our.internal.ca/acme/directory: x509: certificate signed by unknown authority

This is pretty reasonable and is expected to happen.

Proposed solution

It seems that currently it's not possible to add custom trusted root certificate. Or at least it is not well-documented.

Ideally, there should be a way to specify root certificate along with issuer definition, like:

spec:
  acme:
    server: https://our.internal.ca/acme/directory
    rootCertificate: <reference either to configmap, secret, or just PEM encoded string>

However, adding root certificate cluster-wide is perfectly OK, I think.

Alternatives
None, really. Let's Encrypt won't issue certs for domains that don't even exist in public network :)

I have not tried to patch Docker images yet, but this seems to be most feasible way to solve this issue temporarily.

Specifying http:// instead of https:// (all in all, it's trusted network) as a workaround does not work either -- ACME client ignores protocol.

Environment details:

• Self-hosted Kubernetes 1.15.0
• cert-manager v0.11.0 installed by static manifests