Skip to main content
Version: 1.2

Troubleshoot Key Management Provider Errors

Please use kubectl get or kubectl describe command to retrieve the error.

kubectl get keymanagementproviders.config.ratify.deislabs.io -n <INSERT NAMESPACE>

CERT_INVALID

This error is returned when Ratify fails to parse certificate fetched from Key Management Provider.

Scenario 1

Brieferror: failed to get certificates fro... Error: failed to get certificates from secret bundle:
Original Error: (pkcs12: expected exactly two items in the authenticated safe),
Error: cert invalid,
Code: CERT_INVALID,
Plugin Name: azurekeyvault, Component Type: certProvider,
Detail: azure keyvault key management provider: failed to convert PKCS12 Value to PEM. Certificate default, version b81be595959f46fbb1c704018d29aca8
Issuccess: false

Cause and Solution

PKCS12 format certs in Key Vault with nonexportable private keys causes a parsing failure because Go is hardcoded to expect a private key. We recommend switching to PEM certs.

Access Denied

This error occurs when Ratify fails to fetch certificates from akv provider due to permissions issues.

Scenario 1

Reconciler error KeyManagementProvider=gatekeeper-system/kmp-akv controller=keymanagementprovider controllerGroup=config.ratify.deislabs.io controllerKind=KeyManagementProvider error=Error fetching certificates in KMProvider kmp-akv with azurekeyvault provider

error: failed to get secret objectName:Certname, objectVersion:, error: keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=403, Original Error: autorest/azure: Service returned an error. Status=403 Code="Forbidden" Message="The user, group or application 'appid=app;iss=https://sts.windows.net/tenant_id/' does not have secrets get permission on key vault 'keyvaultname;location=eastus'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287" InnerError={"code":"AccessDenied"}

Cause and Solution

When a certificate is created, an addressable key and secret are also created with the same name. Ratify requires secret permissions to retrieve the public certificates for the entire certificate chain. Please configure keyvault policy for the identity with command below.

az keyvault set-policy --name ${AKV_NAME} \
--secret-permissions get \
--object-id ${IDENTITY_OBJECT_ID}

Since the permission change is external to ratify, you MUST manually trigger a fetch operation by deleting and applying the CR again.

kubectl get keymanagementproviders.config.ratify.deislabs.io/kmp-akv -o yaml > my_kmp_akv.yaml
kubectl delete keymanagementproviders.config.ratify.deislabs.io/kmp-akv
kubectl apply -f my_kmp_akv.yaml