I am using Vault 1.6.0 with raft and have Cloud (AWS) auto_join working and nodes talking to each other over HTTPS, but I’m wondering why the requirement to embed the IP address in the subjectAltName (SAN). It makes it virtually impossible to use with DHCP and/or auto-scaling groups.
Requiring that the SSL cert have the IP address embedded seems at odds with how the public Internet works, where the Certificate Authority vouches for the authenticity of the cert. Each node is now a “pet” instead of “cattle”, to borrow that analogy, because the node has to be built and its IP known (and it cannot change) before creating and signing the CSR.
Is there some way to turn off the IP SAN requirement? Does it support wildcards? I know about
-tls-skip-verify for CLI commands, but that doesn’t seem to help with the server itself.