I seem to have noticed that creating a signed cert w/ a C-Name as the common name rather than the master node's A-record causes me to get cert errors even though the cert is valid. Doing the reverse ends up w/ the same result.
The only time the cert shows as 'valid' is when I connect to the master node via it's IP or A record shown @ the consoles login screen. Is this normal behavior? I feel that it may be a bug as I did not see these issues w/ 5.8.
For example:
Master Node IP: 192.168.1.50
Master Node A Record: vropsmaster-node.localdom.com
Master Node C Name: vrops.localdom.com
Certificate Info:
Common Name: vrops.localdom.com
Subject Alternative Name(s):
DNS: vropsmaster-node.localdom.com
IP: 192.168.1.50
In this case, vropsmaster-node.localdom.com and 192.168.1.50 come back as having valid certificates. Trying to connect to vrops.localdom.com has Chrome, IE, and Safari returning with host name mismatch errors for the cert. Screenshot from Safari attached.
Ok, I figured it out.
Change Common Name to that of the vropsmaster node and made the C-Name 'alias' as a SAN entry. That solved the issue.
So like above:
subjectAltName = DNS:vrops, IP:192.168.1.50,DNS:vrops.localdom.com
[ req_distinguished_name ]
countryName = US
# Update w/ your location's information
stateOrProvinceName = Georgia
localityName = Atlanta
0.organizationName = TakeAGuess
organizationalUnitName = MyGroup
# Change below
commonName = vropsmaster.localdom.com
emailAddress = me@test.com
Is this a SAN cert?
yes
I'm curious what fields are populated in the SAN Cert. Did you put the IP in it as per your thread above? My normal commands to gen a SAN csr is as follows:
openssl genrsa -des3 -out cluster.key 2048
openssl req -new -key cluster.key -sha256 -nodes
-subj '/C=US/ST=New York/L=New York/O=Hosting/OU=Team/CN=www.cluster.com/
emailAddress=administrative-not-existent-address@cluster.com/
subjectAltName=DNS.1=node1.cluster.com,
DNS.2=node2.cluster.com’ > cluster.csr
Here is an example of the cfg file I'm using to create the CSR:
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
# Edit below to match your needed config
subjectAltName = DNS:vrops, IP:192.168.1.50,DNS:vropsmaster.localdom.com
[ req_distinguished_name ]
countryName = US
# Update w/ your location's information
stateOrProvinceName = Georgia
localityName = Atlanta
0.organizationName = TakeAGuess
organizationalUnitName = MyGroup
# Change below
commonName = vrops.localdom.com
emailAddress = me@test.com
OpenSSL command to generate the CSR
D:\OpenSSL-Win32\bin\openssl req -out %location%%certname%.csr -new -newkey rsa:2048 -nodes -keyout %location%%certname%.key -config %location%%certname%.cfg
Drop the IP and shortname from the cert's subject alt names.. I've never added non-FQDN in there before and if I was a betting man our QE didn't test for it either. Just add the FQDN of the master and see what it does..
Ok, I figured it out.
Change Common Name to that of the vropsmaster node and made the C-Name 'alias' as a SAN entry. That solved the issue.
So like above:
subjectAltName = DNS:vrops, IP:192.168.1.50,DNS:vrops.localdom.com
[ req_distinguished_name ]
countryName = US
# Update w/ your location's information
stateOrProvinceName = Georgia
localityName = Atlanta
0.organizationName = TakeAGuess
organizationalUnitName = MyGroup
# Change below
commonName = vropsmaster.localdom.com
emailAddress = me@test.com