consul tls certs verify_server_hostname

[ishaq]

Hello,

I am trying to use verify_server_hostname set to true, but keep getting the below error.  I have generated many signed certs with server.pl.conul or consul-pl-01.acme.net.pl.consul, however I keep getting the below issue.  What consul hostname is needed within the CSR so I can use the verify_server_hostname parameter.  

 

[server]# consul operator raft -list-peers
Operator "raft" subcommand failed: Unexpected response code: 500 (rpc error: failed to get conn: x509: certificate is valid for consul-pl-01.acme.net, consul-pl-02.acme.net, consul-pl-03.acme.net, not server.pl.consul)

[server]#

[David Adams]

The error message is pretty clear. The certificate being seen by raft is valid for consul-pl-01.acme.net, consul-pl-02.acme.net, or consul-pl-03.acme.net, but raft is expecting server.pl.consul.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/consul/issues
IRC: #consul on Freenode
---
You received this message because you are subscribed to the Google Groups "Consul" group.
To unsubscribe from this group and stop receiving emails from it, send an email to consul-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/consul-tool/8ce46f32-350f-4adc-92f6-6c010c5d4420%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[oz]

I added server.pl.consul as a subjectAltName entry within the CSR and had it signed successfully, still no luck.  

On Tuesday, September 27, 2016 at 9:00:49 AM UTC-4, David Adams wrote:

The error message is pretty clear. The certificate being seen by raft is valid for consul-pl-01.acme.net, consul-pl-02.acme.net, or consul-pl-03.acme.net, but raft is expecting server.pl.consul.

On Tue, Sep 27, 2016 at 7:51 AM, ishaq <ishaq...@gmail.com> wrote:

Hello,

I am trying to use verify_server_hostname set to true, but keep getting the below error.  I have generated many signed certs with server.pl.conul or consul-pl-01.acme.net.pl.consul, however I keep getting the below issue.  What consul hostname is needed within the CSR so I can use the verify_server_hostname parameter.  

 

[server]# consul operator raft -list-peers
Operator "raft" subcommand failed: Unexpected response code: 500 (rpc error: failed to get conn: x509: certificate is valid for consul-pl-01.acme.net, consul-pl-02.acme.net, consul-pl-03.acme.net, not server.pl.consul)

[server]#

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/consul/issues
IRC: #consul on Freenode
---
You received this message because you are subscribed to the Google Groups "Consul" group.

To unsubscribe from this group and stop receiving emails from it, send an email to consul-tool...@googlegroups.com.

[David Adams]

Can you provide the output of `openssl x509 -in path/to/your/certificate -noout -text`. And are you sure you've set up Consul to look at that file, and have you restarted Consul since you changed the config or the cert file?

To unsubscribe from this group and stop receiving emails from it, send an email to consul-tool+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/consul-tool/ac3dcf12-4600-4dfd-8cea-0e1fec0bb1f6%40googlegroups.com.

[oz]

I have restarted Consul, I had a previous cert with just the hostnames of the servers within the Consul cluster.  I had verify incoming and outgoing enabled and wanted to add additional security by enabling verify_server_hostname.  The log outputs the same error as when running the operator raft command.  I then created a new cert with the server.pl.consul within the SAN blocks and below is that cert.  

[server]# openssl x509 -in cnsl_cert.crt -noout -text

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 9310061431239145493 (0x8133fbb171a19615)

    Signature Algorithm: sha256WithRSAEncryption

        Issuer: C=US, ST=NewYork, L=CentralCity, O=Acme, OU=Secops, CN=Secops CA 2016

        Validity

            Not Before: Sep 27 11:36:25 2016 GMT

            Not After : Sep 26 11:36:25 2021 GMT

        Subject: C=US/emailAddress=sup...@acme.com, CN=consul-pl-01.acme.net/subjectAltName=consul-pl-01.acme.net,consul-pl-02.acme.net,consul-pl-03.acme.net,server.pl.consul, OU=Secops, L=CentralCity, O=Acme, ST=NewYork

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

                Modulus:

                    00:c1:4e:7b:70:9a:3f:49:3e:10:d4:55:03:5e:ea:

                    a9:0b:8b:c8:25:b9:8f:22:8c:0b:b5:96:15:ae:41:

                    e7:7b:bb:fc:14:37:8f:ee:b3:f8:8a:2d:92:01:63:

                    97:07:6a:0d:b1:d6:b9:b8:f0:4a:24:8d:04:ea:83:

                    a3:68:b4:36:42:d5:cb:61:f4:18:64:80:a2:4e:f0:

                    83:c5:14:95:2c:a4:7d:1e:56:96:45:4e:97:8c:2c:

                    cd:20:28:81:b4:73:99:86:d2:a6:b4:5c:27:4f:8f:

                    2a:57:21:94:d8:12:c0:54:f1:57:83:a9:35:66:20:

                    39:78:f2:f2:8a:41:6d:99:d6:1d:42:d2:0f:ba:ca:

                    ef:37:81:bd:0d:ba:f3:ea:97:ec:61:ed:cc:97:b5:

                    42:0d:9a:67:43:2d:a6:6e:65:ca:29:7e:fc:73:dc:

                    54:9e:c4:d2:14:db:6e:75:61:7b:b0:9f:19:5c:cc:

                    12:9a:ad:13:15:83:f6:94:2d:e5:b2:5a:eb:49:20:

                    26:f0:8d:e9:1a:11:8d:c9:bf:2b:f9:c5:e1:85:4d:

                    12:c6:93:4c:9a:2a:94:61:50:f1:7e:36:82:df:c7:

                    e7:20:39:04:7d:d7:86:fc:f4:2f:c5:7c:75:20:60:

                    65:b7:3f:ff:50:87:8b:0c:7c:df:7f:bd:a5:c0:d2:

                    5e:47

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Basic Constraints: 

                CA:FALSE

            X509v3 Key Usage: 

                Digital Signature, Non Repudiation, Key Encipherment

            X509v3 Subject Alternative Name: 

                DNS:consul-pl-01.acme.net, DNS:consul-pl-02.acme.net, DNS:consul-pl-03.acme.net, DNS:server.pl.consul

            X509v3 Extended Key Usage: 

                TLS Web Server Authentication, TLS Web Client Authentication, E-mail Protection, Time Stamping, Code Signing

    Signature Algorithm: sha256WithRSAEncryption

         2a:a7:70:49:0d:a4:53:11:7c:12:63:af:ae:cc:5f:37:dc:9d:

         66:26:67:04:b7:19:cb:f8:9a:d3:cb:ad:7b:5e:0b:04:d7:60:

         f3:78:29:7e:f0:28:a2:bd:f9:ac:0d:7c:65:9a:72:f8:d4:57:

         0e:a0:5b:31:f7:67:66:e8:1b:4d:8b:d6:27:48:0d:b1:70:97:

         b4:6a:57:8c:21:b6:45:f5:30:4a:a8:74:bf:2a:49:35:ed:f3:

         3e:44:31:21:74:45:ed:a2:21:13:39:60:9f:96:c3:7a:6a:6f:

         d0:4e:32:fa:d0:24:c3:81:0f:b6:b5:a7:cc:11:f5:6d:93:f3:

         09:04:d2:8c:e3:43:58:21:41:49:45:8f:7d:e2:f3:75:79:7a:

         b7:88:45:c0:5c:d2:8a:17:7b:8e:fc:d2:6a:d5:89:60:a4:5c:

         74:4c:d1:ed:19:3d:72:3e:ee:a4:ce:40:b4:cc:58:c9:de:5f:

         35:1b:90:7e:1c:84:3d:2b:3f:a8:52:64:88:7a:bd:06:8c:0a:

         bb:b4:ae:fe:e2:51:aa:8b:e4:0c:40:75:1d:55:5e:9b:01:fe:

         f7:bb:ee:68:34:05:72:46:3e:47:be:7b:7e:2c:7d:0a:e8:02:

         fa:f0:31:96:52:f9:de:72:74:ac:37:95:8b:0b:e3:9d:48:5c:

         6c:60:c3:b1

[server]#