Network Error": tls: failed to verify certificate: x509: certificate relies on legacy Common Name field

KrystianR · May 3, 2023, 2:45pm

Hi,
I have updated vault from quite old 0.10.1 version to the latest 1.13.2.
All look ok apart from an error that appears when I try to use AD authentication:

Error authenticating: Error making API request.

URL: PUT https://vault.internal:8200/v1/auth/ldap/login/chris
Code: 400. Errors:

* 1 error occurred:
        * error connecting to host "ldaps://ldaps.internal": {{err}}%!(EXTRA *ldap.Error=LDAP Result Code 200 "Network Error": tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead)

It seems that I need to replace the SSL certificate used by LDAP. But that’s not possible now.

Is there a fix or workaround for this problem?

cheers

maxb · May 3, 2023, 4:18pm

Support for DNS names in the certificate common name has been considered deprecated for quite some time.

The escape-hatch option in Go’s TLS library to temporarily accept such certificates was entirely removed in Go 1.17, released August 2021.

Perhaps you might get away with setting the insecure_tls option on the LDAP auth method - LDAP - Auth Methods - HTTP API | Vault | HashiCorp Developer - but realistically you really should get that certificate replaced.

KrystianR · May 5, 2023, 8:07am

Thanks, I will get the certificate replaced.

Temporarly (for testing) I’ll use the insecure_tls parameter

Topic		Replies	Views
Vault LDAP error Vault	3	1016	June 27, 2022
Error: "tls: bad certificate" when using a self-signed certificate Vault	4	1449	October 6, 2021
LDAP conifguration failing for Vault Vault	1	1615	February 16, 2020
Hashicorp Vault RabbitMQ Secrets Engine Vault	1	489	March 14, 2022
Help me generate a certificate with a proper SAN and no COMMON NAME Vault	1	2167	October 18, 2021

Network Error": tls: failed to verify certificate: x509: certificate relies on legacy Common Name field

Related topics