Description:

We are using google CAS as a delagated certificate authority and our complete certificate chain is :
[Root CA cert - RCA] -> [Intermediate CA cert - ICA] -> [GoogleCAS CA cert - CASCA] -> [Leaf certificate - CERT]
In certificate secrets, the certificate chain is not split properly :

• tls.crt contains CASCA and CERT in a single encoded string using a mix of "\r\n" and as new line separator.
  • CERT : this part of the string uses "\r\n" as new line separator and contains the leaf certificate.
  • CASCA : this part of the string uses "\n" as new line separator and contains the Google CAS certificate authaurity public certificate.
• ca.crt contains RCA + ICA in a single encoded string with "\r\n" as new line separator (except at the end of the string where only "\n" is used.

What's expected:

• From what we undestood from cert-manager FAQ, the secret should contains :

  • tls.crt with the full certificate chain within (except the CA cert)
  • ca.crt should only contain the root certificate

• All encoded string should be using the same new line separator (might be an external issue without impact to google-cas-issuer, but...??)

What's happening:

As the web server using the leaf certificate publishes cert.crt as certificate chain, our TLS handshake is timeout, as the client does not trust the ICA, but only the RCA.
If we modify the client config and we add the ICA to its truststore, the TLS handshake ends succesfully, and the TLS connexion is established.

Versions affected:

google-cas-issuer: 0.8.0
cert-manager: 1.14.4

How to reproduce:

Create the CA chain described, and you should reproduce the issue.