Confusing messaging when certificate secret name already exist

[jjshanks]

Describe the bug:
When doing a describe on a certificate it says unable to decode PEM block

The certificate request has failed to complete and will be retried: Failed to decode returned certificate: error decoding certificate PEM block

Expected behaviour:

A message about how issuer-ref and secretName can't be the same secret. Or something more explicit about what is breaking.

Steps to reproduce the bug:

 helm repo add jetstack https://charts.jetstack.io --force-update
 helm repo update
 kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.crds.yaml
 helm install \
   cert-manager jetstack/cert-manager \
   --namespace cert-manager \
   --create-namespace \
   --version v1.14.5
 kubectl create namespace linkerd
 step certificate create root.linkerd.cluster.local ca.crt ca.key \
  --profile root-ca --no-password --insecure &&
  kubectl create secret tls \
    linkerd-trust-anchor \
    --cert=ca.crt \
    --key=ca.key \
    --namespace=linkerd
	
kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: linkerd-trust-anchor
  namespace: linkerd
spec:
  ca:
    secretName: linkerd-trust-anchor
EOF

kubectl apply -f - <<EOF
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: linkerd-identity-issuer
  namespace: linkerd
spec:
  secretName: linkerd-trust-anchor
  duration: 48h
  renewBefore: 25h
  issuerRef:
    name: linkerd-trust-anchor
    kind: Issuer
  commonName: identity.linkerd.cluster.local
  dnsNames:
  - identity.linkerd.cluster.local
  isCA: true
  privateKey:
    algorithm: ECDSA
  usages:
  - cert sign
  - crl sign
  - server auth
  - client auth
EOF

Anything else we need to know?:

Environment details::

• Kubernetes version: 1.30 / 1.29
• Cloud-provider/provisioner: minikube / EKS
• cert-manager version: 1.14.5
• Install method: helm

/kind bug

[hawksight]

Slack conversation: https://kubernetes.slack.com/archives/C4NV3DWUC/p1715054329904869

This issue is in reference to the article from LinkerD: https://linkerd.io/2.15/tasks/automatically-rotating-control-plane-tls-credentials/

[SgtCoDFish]

It's reasonable to say that cert-manager's error could be better here! I don't think we see this specific error very often so I've marked this as backlog. Would be happy to review a PR but I don't think a maintainer is likely to write that PR any time soon!

Thank you for raising this issue, it's always good to have these kinds of detailed reports 👍

[cert-manager-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
/lifecycle stale

[cert-manager-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
/lifecycle rotten
/remove-lifecycle stale

[jjshanks]

@SgtCoDFish can you assign this to me? I'll try to pull together a PR.

[hawksight]

/assign @jjshanks

[SgtCoDFish]

/remove-lifecycle rotten

[SgtCoDFish]

I dug into this a bit with the knowledge that this was being caused by trying to issue into a secret containing a CA issuer.

The issue is actually from here:

cert-manager/pkg/util/pki/csr.go

Line 464 in 8f71b91

if cert.CheckSignatureFrom(cert) == nil {

The chain cert that's generated in this case is self-signed; that's because it re-uses the already existing private key in the CA issuer secret. So this function doesn't return any PEM when we encode the chain here.

So we return a bundle with the CA set but no chain, which we don't handle here.

That's why the error being shown is a failure to decode the cert (from here) - because there's nothing to decode.