Kubernetes service FQDN is included in SANs in the CSR generated by manual-tls-certificates charm even though csr-domain-name is set in istio-pilot config

[przemeklal]

Bug Description

Hi,

I configured csr-domain-name in istio-pilot and related it to manual-tls-certificates. When I juju run manual-tls-certificates/leader get-outstanding-certificate-requests the generated CSR incorrectly includes Kubernetes service FQDN:

Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = kubeflow-pfcksipu2m4ga.polandcentral.cloudapp.azure.com, x500UniqueIdentifier = ef75f0ac-02bb-4425-b2be-f2627f1d2333
[...]
        Attributes:
            Requested Extensions:
                X509v3 Subject Alternative Name: 
                    DNS:istio-pilot-0.istio-pilot-endpoints.kubeflow.svc.cluster.local
[...]

The inclusion of svc.cluster.local type of domains in CSR is not supported by 3rd party CAs, such as Let's Encrypt:

Requesting a certificate for kubeflow-pfcksipu2m4ga.polandcentral.cloudapp.azure.com and istio-pilot-0.istio-pilot-endpoints.kubeflow.svc.cluster.local
An unexpected error occurred:
Invalid identifiers requested :: Cannot issue for "istio-pilot-0.istio-pilot-endpoints.kubeflow.svc.cluster.local": Domain name does not end with a valid public suffix (TLD)

The expected behavior is using the same address (csr-domain-name) in CN and SAN fields (or even omitting CN completely).

Other charms, such as Traefik behave correctly, please see an example CSR generated using the same steps:

Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = cos-d4w2lixiz5yos.eastus2.cloudapp.azure.com, x500UniqueIdentifier = bdfa477c-b080-4f49-a58d-2182f6fd978c
[...]
        Attributes:
            Requested Extensions:
                X509v3 Subject Alternative Name: 
                    DNS:cos-d4w2lixiz5yos.eastus2.cloudapp.azure.com

To Reproduce

juju config istio-pilot csr-domain-name="kubeflow-pfcksipu2m4ga.polandcentral.cloudapp.azure.com"
juju deploy manual-tls-certificates
juju relate manual-tls-certificates istio-pilot
juju run manual-tls-certificates/leader get-outstanding-certificate-requests --format=json | yq '.manual-tls-certificates/0.results.result' | yq '.[0].csr' > /home/ubuntu/kubeflow.csr
# show CSR
openssl req -in /home/ubuntu/kubeflow.csr -noout -text
# try to get generate the cert
certbot -n --agree-tos -m [email protected] --nginx certonly -d kubeflow-pfcksipu2m4ga.polandcentral.cloudapp.azure.com --csr /home/ubuntu/kubeflow.csr

Environment

$ juju status
Model     Controller           Cloud/Region             Version    SLA          Timestamp
kubeflow  azure-polandcentral  k8s-cloud/polandcentral  3.6-beta2  unsupported  12:38:02Z
...
istio-pilot                                         active      1  istio-pilot              1.22/stable     1169  10.0.206.231  no       
...
manual-tls-certificates                             active      1  manual-tls-certificates  latest/stable    108  10.0.135.207  no       1 outstanding requests, use juju actions to provide certificates
...

Relevant Log Output

No relevant logs. Steps to reproduce are posted above.

Additional Context

No response

[syncronize-issues-to-jira]

Thank you for reporting us your feedback!

The internal ticket has been created: https://warthogs.atlassian.net/browse/KF-6417.

This message was autogenerated

[orfeas-k]

This is a valid bug. That being said, configuration tls-secret-id is an alternative, which in contrary to what is mentioned in the readme, is not going to be dropped in newer versions (relevant issue #536)