cert-manager and Kubernetes

Hi,

I'm trying to use the ACMEv2 test endpoint with cert-manager for Kubernetes (standard Helm deployment using HTTP-01 issuing). I created an issue on GitHub https://github.com/jetstack/cert-manager/issues/1375

Getting the following error:

'Failed to create new order: acme: urn:ietf:params:acme:error:malformed:
      The registration request doesn''t contain terms acceptance field: termsOfServiceAgreed,
      set to true'

Any input from you guys on how to correctly configure cert-manager?

6replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Hi Vidar Waagbø

     

    Unfortunately we do not have experience of using cert-manager.

     

    Regards,

    Andriy

    Reply Like
  • Got a similar observation from at Jetstack developer on my GitHub issue: https://github.com/jetstack/cert-manager/issues/1375

    He suggests that the problem may be to server differences between your implementation and the "reference" Let's Encrypt implementation.

    Are you able to help us identify which properties in the challenge request that causes the problem from the server/supplier side?

    Reply Like
    • Hi Vidar Waagbø 

       

      This is likely due to the fact that the request to create an account doesn’t contain the

      termsOfServiceAgreed field. Since we require clients to agree to terms of service,

      those requests for account creation, that do not contain such field, are rejected.

       

      We do require this field to be set even if "onlyReturnExisting": true is included.

      We are working to release this constraint.

       

      Thank you for raising this issue.

       

      Regards,

      Andriy

      Reply Like
    • Andriy Mahats 

      Thanks for working towards providing an ACME v2 endpoint, user will greatly appreciate having a choice of certificate authorities.

      I am the developer of Certify The Web which is a popular Windows GUI for certificates from ACME CAs. I'm also looking at supporting BuyPass, and this would be using the v2 API (we no longer have v1 API support which is common for many of the updated clients as the order workflows are quite different).

      I can confirm seeing the same error (/new-acct is fine but when used later with onlyReturnExisting:true it fails to return the current account details).

      Reply Like 1
  • Got hit by this bug as well with cert-manager. Keep in mind that cert-manager is one of the most widespread ways of obtaining ACME supported certificates in an Kubernetes environment so complying to the ACME protocol in order to support all of the ACME clients is key in order to for wide spread adoption. Please fix this!

    Reply Like
    • Hi Hans Flaatten 

       

      We have released a fix to resolve this issue last week.

      If you still experience problems, please try to activate “verbose” mode

      in the client you use – so there might be more helpful details.

       

      Regards,

      Andriy

      Reply Like
Like2 Follow
  • 2 Likes
  • 8 mths agoLast active
  • 6Replies
  • 99Views
  • 4 Following

Buypass Official Community

This is the official community of Buypass.  A Root CA located in Norway.