Clarification on TLS and server name

aardvarq · October 28, 2020, 7:20am

Hello. I’ve just attempted to enable TLS and am failing hostname verification. I have a wildcard cert for our domain *.domain.tld and am presenting that. Consul finds the hostname correctly as consul-1.domain.tld, but verification fails with certificate is valid for *.domain.tld, not server.us-west-2a.domain.tld"

I have as part of my configuration:

"domain": "domain.tld"
"node_name": "consul-1"

The hostname is set on the host as consul-1.domain.tld.

What is generating this server.${az}.${domain} name being passed to the verification step?

aardvarq · October 29, 2020, 2:24pm

Evidently verify_server_hostname is my cuplrit here. Removing that resolved my issue.

It’s also worth noting for future readers that the domain parameter is used to declare the authoritative domain for hostname resolution, and is not germane to the SNI being presented.

Topic		Replies	Views
Consul helm tls verify_server_hostname problems Consul k8s	0	336	September 17, 2019
Verify_server_hostname doesn't work? Consul	2	112	May 14, 2024
TLS Encryption : Need Help on "x509: certificate signed by unknown authority" / Unclear documentation Consul	4	2512	September 23, 2020
Fresh Consul deployment fails readiness check for 127.0.0.1, but not for DNS name Consul	1	662	October 7, 2021
TLS certificate generation question Consul consul	1	375	August 25, 2022

Clarification on TLS and server name

Related topics