Troubleshooting Built-In Account authentication¶

This topic covers common problems when configuring Enterprise Issuer to authenticate to Next-Gen Trust Security using a Built-In Account.

For general Enterprise Issuer troubleshooting, including how to inspect resources or adjust the logging level, see Troubleshooting Enterprise Issuer.

Wrong Client ID¶

The Connection resource status message contains invalid_client: Not Found or grant not found. This means the clientID in the VenafiConnection does not match the Built-In Account's Client ID.

1. In Next-Gen Trust Security, on the Built-In Account page, copy the Client ID.

2. Compare it with the clientID field in VenafiConnection:

   kubectl get venaficonnection ngts-connection -n venafi -o jsonpath='{.spec.ngts.jwt[1].privateKeyJWT.clientID}'
   

3. If they do not match, update VenafiConnection.

Wrong or corrupted private key¶

The Connection resource status message contains a JWT signing error or an OAuth error such as invalid_grant. This means the private key in the Kubernetes Secret does not match the public key registered with the Built-In Account or the PEM data is malformed (for example, there are missing newlines).

1. Verify that the Secret contains a valid PEM-encoded private key:

   kubectl get secret ngts-credentials -n venafi -o jsonpath='{.data.privateKey}' | base64 -d | head -1
   

   The output should begin with -----BEGIN EC PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY-----.

2. If the key is corrupted or does not match the Built-In Account, on the Built-in Account page in Next-Gen Trust Security, click the account.

3. In the panel that appears, click Renew to generate a new key pair, saving the private key.

4. Update the Kubernetes Secret with the new private key.

Unreachable endpoint¶

The Connection resource status message contains a connection error such as dial tcp: lookup ... no such host or connection refused. This means the tsgID in VenafiConnection is incorrect or that the cluster cannot reach the Next-Gen Trust Security data plane endpoint.

1. Verify that the tsgID in VenafiConnection matches your Tenant Service Group ID. The tsgID is used to construct the URL for the Next-Gen Trust Security data plane endpoint, for example https://0000000000.ngts.paloaltonetworks.com:

   kubectl get venaficonnection ngts-connection -n venafi -o jsonpath='{.spec.ngts.tsgID}'
   

2. From a pod in the cluster, verify that the cluster can reach the endpoint:

   kubectl run -it --rm curl-test --image=curlimages/curl -- curl -v https://<tsgID>.ngts.paloaltonetworks.com/v1/health
   

Untrusted TLS certificate in non-production environments¶

The Connection resource status message contains x509: certificate signed by unknown authority. Non-production environments use TLS certificates signed by an untrusted Palo Alto Networks internal CA.

1. Obtain the Palo Alto Networks CA bundle and create a ConfigMap in the Enterprise Issuer namespace:

   kubectl create configmap cyberark-ca-bundle \
     --from-file=ca-bundle.crt=ca-bundle.pem \
     -n venafi
   

2. Configure the Enterprise Issuer Helm chart to trust the CA bundle by setting the trustedCaBundles value:

   venafiEnhancedIssuer:
     manager:
       trustedCaBundles:
         - configMapName: cyberark-ca-bundle
           configMapKey: ca-bundle.crt
   

3. Upgrade the Enterprise Issuer Helm release with the updated values.

Invalid issuing template¶

The Certificate resource remains Pending and CertificateRequest events show a 404 response or a message indicating the issuing template was not found. This means the zone field in VenafiIssuer doesn't match a valid issuing template in Next-Gen Trust Security.

1. Check the zone value in VenafiIssuer:

   kubectl get venafiissuer ngts-issuer -n venafi -o jsonpath='{.spec.zone}'
   

2. Confirm the zone format, which must follow Issuing Template Name.

3. In Next-Gen Trust Security, confirm that the issuing template exist and that the Built-In Account has access to them.

Secret access denied¶

The Connection resource status message contains secrets "ngts-credentials" is forbidden or a similar error. This means the venafi-connection service account does not have permission to read the Kubernetes Secret that contains the private key.

1. Verify that the Role and RoleBinding exist:

   kubectl get role get-ngts-credentials -n venafi
   kubectl get rolebinding ngts-credentials-rolebinding -n venafi
   

2. Verify that the RoleBinding references the correct service account name and namespace. The service account name must match the one used by the Connection resource controller (typically venafi-connection in the venafi namespace).

Cross-namespace reference denied¶

The Certificate resource remains Pending and the VenafiIssuer in a different namespace from the Connection resource shows reference not allowed. This means the Connection resource does not allow references from the namespace where the VenafiIssuer or Certificate resource is created.

To resolve this error, add an allowReferencesFrom field to the Connection resource to permit cross-namespace access, as described in About cross-namespace access for Connection resource.