Issuer Creation Error: "local error: tls: no renegotiation"

[johnmarx-la]

When attempting to install and configure cert-manager in our private network, we get an error when the system attempts to create the issuer against a Venafi server. The error is: "local error: tls: no renegotiation"

In golang the http.Client will allow the Transport: to specify a TLSClientConfig: parameter to allow Renegotiation.

example:

           Transport: &http.Transport {
                          TLSClientConfig: &tls.Config{
                                          RootCAs: caCertPool,
                                          Renegotiation: tls.RenegotiationOnceAsClient,
                          },
            },
}
req, err := http.NewRequest(...

If there is an existing command line flag we can use to invoke this, please let us know. In looking at the source code in cert-manager, it appears that there are many places the http.Client object is created and altered, and even some outside the cert-manager project and in the Venafi "Vcert" project source code.

In our organization we have limited ability to affect the configuration of the Venafi server and we believe it may be running behind an IIS server. If we could resolve this within the cert-manager install that would be our most expedient method.

Best regards,
John Marx

[meyskens]

We use the vCert library for all communication to venafi instances, I think it would be best to file an issue there to add this option so we can implement it.

[meyskens]

/area venafi

[johnmarx-la]

Thank you @meyskens, will do!

[tomcruise81]

@johnmarx-la - looks like you opened Venafi/vcert#148. Should this be re-opened and tied to that issue?

[maelvls]

For context, the full error message on the Issuer looks like this:

Error initializing issuer: Failed to setup Venafi issuer: client.VerifyCredentials: tppClient.VerifyAccessToken: Get "https://venafi-tpp.platform-ops.jetstack.net/vedauth/authorize/verify": local error: tls: no renegotiation

This issue has two possible causes:

Case 1: Venafi issuer + username and password:

If you are using the Venafi issuer with a username and password and you see local error: tls: no renegotiation, then it means that there is a misconfiguration in the IIS server that is serving TPP.

To fix the issue, you will need to RDP into the Windows instance that runs TPP, open IIS, open the VEDSDK endpoint, open the "SSL Config", and select "Ignore" instead of "Accept":

Case 2: Venafi issuer + access token:

If you are using the Venafi issuer with an access token and you see local error: tls: no renegotiation, you might be hitting #5517, which is a limitation of cert-manager specific to access tokens: currently, cert-manager cannot connect to TPP instances using an access token when the TPP instance has its VEDAuth's "SSL Config" set to "Accept".

To work around the issue, you will first need to make sure no one is using the certificate-based authentication for the Web SDK. Then, you will need to RDP into the Windows instance that runs TPP, open IIS, open the VEDAuth endpoint, open the "SSL Config", and select "Ignore" instead of "Accept":