Consul cli says certificate doesn't contain any IP SANs


I’m encountering the same issue as describe in this (unsolved) topic: Cannot validate certificate for because it doesn't contain any IP SANs - #2 by aram

Error retrieving members: Get "": x509: cannot validate certificate for because it doesn't contain any IP SANs

The problem in my case is that my certificate is actually defined for ‘’ in the alternative dns names section:

        Version: 3 (0x2)
        Serial Number:
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: C = CO, ST = City, L = City, CN = Comp Group
            Not Before: Jul  6 18:18:19 2022 GMT
            Not After : Jul  3 18:18:19 2032 GMT
        Subject: C = CO, ST = City, L = City, O = Comp, OU = My Division, CN = comp.internal
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Basic Constraints:
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:*.node.comp.internal, DNS:*.co-dc-1.comp.internal, DNS:localhost, DNS:
    Signature Algorithm: ecdsa-with-SHA256

Any ideas where the issue might come from?
I’m generating the certificate myself through openssl, but I think the parameters are pretty much correct.

Ok, I think I’ve figured this out too (I only get inspired after I post, it seems).
In consul-generated certificates, the entry is called IP Address:, not DNS: I didn’t know such thing even existed. I just have to figure out how to generate this through openssl, but that should be relatively easily.

[Later edit:]
So the solution is to add to the openssl configuration file that I use to sign my csr the following:

IP.1 =