vault status error x509 certificate is valid for 127.0.0.1, 192.168.0.10

[Jack]

Hi there,

I have generated a root and intermediate certificate using the PKI backend. Then I've used the intermediate back-end to issue a new certificate like this: $ vault write pki-intermediate/issue/vault common_name=vault ip_sans=127.0.0.1, 192.168.0.10, 192.168.0.11

This returns a new certificate with the following SANs: X509v3 Subject Alternative Name: 

DNS:vault, IP Address:127.0.0.1, IP Address:192.168.0.10, IP Address:192.168.0.11

However, when I now use this certificate for Vault, it only works when connecting to localhost.

$ export VAULT_ADDR=https://127.0.0.1:8200

$ vault status 

Sealed: false

...

$ export VAULT_ADDR=https://192.168.0.10:8200

$ vault status 

Error checking seal status: Get https://192.168.0.10:8200/v1/sys/seal-status: x509: certificate is valid for 127.0.0.1, not 192.168.0.10

Is this a bug or am I missing anything? I did not specify the IP Sans when generating or signing the intermediate CA. It's my understanding that I can add the IP Sans when issuing the final certificate to use. Maybe this assumption is wrong? Do I need to specify IPs also for the intermediate?

Thanks

[Jack]

Duh, never mind. I think I forgot to restart the server.