Skip to content

DC field not supported in literalSubject field #5582

New issue
New issue
Closed
Closed
DC field not supported in literalSubject field#5582
Labels
good first issueDenotes an issue ready for a new contributor, according to the "help wanted" guidelines.kind/bugCategorizes issue or PR as related to a bug.priority/important-soonMust be staffed and worked on either currently, or very soon, ideally in time for the next release.
Milestone
v1.11
@SpectralHiss

Description

@SpectralHiss
SpectralHiss
opened on Nov 17, 2022

Describe the bug:
When using the literalSubject in a Certificate like the following:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: test-cert-subject
spec:
  secretName: test
  literalSubject: "DC=admin,DC=SENSITIVE,DC=co,DC=uk,OU=SM,OU=SENSITIVE,OU=SIPlatform,OU=NIX,OU=Servers,CN=SENSITIVE"
  dnsNames:
  - si-int7obgetccv1.nbsdev.co.uk
  duration: 2880h0m0s
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: vault-issuer
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    rotationPolicy: Always
    size: 4096
  renewBefore: 720h0m0s
  secretName: REDACTED
  usages:
  - server auth
  - client auth

We get admission erros like:

 oc apply -f cert-subject.yaml

 

Error from server (NotAcceptable): error when creating "cert-subject.yaml": admission webhook "webhook.cert-manager.io" denied the request: [spec.literalSubject: Invalid value: "DC=admin,DC=nbsnet,DC=co,DC=uk,OU=SM,OU=OpenShift,OU=REDACTED,OU=NIX,OU=Servers,CN=REDACTED": Literal subject contains unrecognized key with value [uk], spec.literalSubject: Invalid value: "DC=admin,DC=nbsnet,DC=co,DC=uk,OU=SM,OU=OpenShift,OU=REDACTED,OU=NIX,OU=Servers,CN=REDACTED": Literal subject contains unrecognized key with value [co], spec.literalSubject: Invalid value: "DC=admin,DC=nbsnet,DC=co,DC=uk,OU=SM,OU=OpenShift,OU=REDACTED,OU=NIX,OU=Servers,CN=REDACTED: Literal subject contains unrecognized key with value [nbsnet], spec.literalSubject: Invalid value: "DC=admin,DC=nbsnet,DC=co,DC=uk,OU=SM,OU=OpenShift,OU=REDACTED,OU=NIX,OU=Servers,CN=rEDACTED": Literal subject contains unrecognized key with value [admin]]
-->

Essentially all DC keys seems to trip up the validating webhook

Expected behaviour:

We expect this certificate to be created as is

Steps to reproduce the bug:
Install v1.9.1 and enable the LiteralSubject feature flag on both deployment and webhook. then use a certificate containing DC alongside the CN somewhere in literalSubject

Environment details::

  • Cloud-provider/provisioner: openshift
  • cert-manager version: v1.9.1
    /kind bug

Metadata

Metadata

Assignees

No one assigned

    Labels

    good first issueDenotes an issue ready for a new contributor, according to the "help wanted" guidelines.kind/bugCategorizes issue or PR as related to a bug.priority/important-soonMust be staffed and worked on either currently, or very soon, ideally in time for the next release.

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions