cert-sync does not work with a cert issued by integrate CA

[endapril]

When I try to use sync Certificate from Azure Keyvault. If the cert is self-signed cert, it works properly as expected.
But when I try syncing a certificate which Authority is an integrated CA(Microsoft OneCertV2-PublicCA in my case), it did generate a tls secret, but the cert does not contain right serial number or correct issuer.

Could you please help?

[endapril]

Below is the cert i am trying to sync

And this is my cert-sync yaml
apiVersion: spv.no/v1
kind: AzureKeyVaultSecret
metadata:
name: cert-sync
namespace: default
spec:
vault:
name: rduimiddlewaretestkv
object:
name: middleware-ppe-ssl-cert
type: certificate
output:
secret:
name: middleware-ppe-ssl-cert
type: kubernetes.io/tls

[torresdal]

Hmmm... Must admit we haven't tested this with integrated CA and don't have one available. Are the any errors you can see from the Controller log, which might help us to know what's going on?

[kbujanecki-dt]

Same issue with Let's Encrypt
Log from nginx ingress controller
W0826 13:53:50.695301 6 backend_ssl.go:46] Error obtaining X.509 certificate: unexpected error creating SSL Cert: certificate and private key does not have a matching public key: tls: private key does not match public key

[caseyzhang123]

Same issue here:

Created an ssl cert in key vault using the Microsoft OneCertV2-PublicCA

However, the cert synced to kubernetes is what seems to be the Digicert root certificate

It is preventing us from using akv2k8s as we cannot get the right ssl cert synced, and thus cannot properly set up tls.

[pavel-sha]

Yes, my situation is similar. A truly self-signed certificate works, but Azure wildcard certificate for a domain does not work that way. Created a wildcard certificate in openwork. Synchronized with the key vault, a secret is automatically created there. All checkboxes are green, everything is ok! This secret is created in aks in the corresponding namespace in a secret like kubernetes.io/tls (using akv2k8s). Synchronization occurs, everything is ok. Crt and key I see. I attach this secret to the ingress in the rules and tls section to the host (hostname with the appropriate name for the domain) and writes that fake Certificate and substitutes the default “Acme Co, Kubernetes Ingress Controller Fake Certificate”, in the ingress logs “Error getting Ssl certificate, local ssl certificate not found. Using default certificate. “What should I do? Why does not it work?

[KrzychuR]

Same case as described by @pavel-sha , I was hoping to use this tool :(

[jerry-santana]

I faced the same issue with Azure KeyVault and OneCertV2-PublicCA.

Honestly, didn't want to spend a lot of time on this and I ended up just doing the classic approach which is very simple:

1. Download PFX from KeyVault
2. Generate CRT
3. Generate KEY
4. Create AKS Secret of type kubernetes.io/tls
5. Use that secret in the Ingress yaml

I know this is not fixing the original issue with akv2k8s but it's an alternative which only takes 1 minute to complete.

I hope it helps.

[KrzychuR]

@jerry-santana I've decided to just create a script using Azure CLI to automate steps as you mentioned above. Then we have simple scheduler once per day to sync K8s secrets with KeyVault certs. Quite simple, there is no need to use any complex solutions (if you want to just sync certificates).

[jerry-santana]

@KrzychuR I tried to do the same but unfortunately it didn't work.

Did you use Workload identity to authenticate keyvault? or it was Pod identity?

[KrzychuR]

@jerry-santana Azure DevOps pipeline (just like regular build) running script so everything is in place: KeyVault authentication and also access to AKS.

[venkat-microsoft]

https://akv2k8s.io/reference/azure-key-vault-secret/#chain-order solves the issue with Microsoft OneCertV2-PublicCA certs.