I've generate Let's Encrypt certificate by
certbot certonly --manual --debug --preferred-challenges DNS -d *.stag.example.com
# .example.com is replaced by my company domain
Then, I put into cert-manager as secret of chain1.pem
into tls.crt
and privkey1.pem
into tls.key
. After that, I create ClusterIssuer and direct those to the secret. I can verify the ClusterIssuer could detect the secret.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
annotations: {}
name: letsencrypt-clusterissuer
spec:
ca:
secretName: letsencrypt-cert
Long story short, I create ingress tls and give annotation into this cluster issuer. But CertificateRequest give this error: Error signing certificate: error creating x509 certificate: x509: provided PrivateKey doesn't match parent's PublicKey
.
I've try to argue the error and trying to verify public key on my local. I use openssl
, I even use docker version of alpine/openssl
. Trying to extract publickey from chain1.pem
and privkey1.pem
(ECDSA). The public key generated is not match.
openssl ec -in privkey1.pem -pubout -outform PEM -out xxx-privkey1.pub
openssl x509 -in chain1.pem -pubkey -noout -out xxx-chain1.pub
I know I should ask cert-manager about this one. But, in case I want to do it manually whatever my case is, and I receive the fullchain and private. My question for let's encrypt, does this is intended behavior that the public key is intended did not match? Is there something I miss?
I also try to generate RSA, and still in the end public key is not match. I've been exploring in hours about this topic and both Let's Encrypt and Cert Manager did not have a resolving answer. What could I do to solve this?
===
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: I prefer not to give
I ran this command:
docker run --rm --name certbot \
-v "${PWD}/etc_letsencrypt:/etc/letsencrypt" \
-v "${PWD}/var_lib_letsencrypt:/var/lib/letsencrypt" \
-v "${PWD}/var_log_letsencrypt:/var/log/letsencrypt" \
certbot/certbot certonly --manual --debug --preferred-challenges DNS -d *.stag.example.com
It produced this output: DNS Acme challenge and all works
My web server is (include version): Cert-Manager
The operating system my web server runs on is (include version): Kubernetes
My hosting provider, if applicable, is: Kubernetes
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): certbot 3.1.0