TLs sertificate not valid


I am following this article Generate mTLS Certificates for Nomad using Vault | Nomad | HashiCorp Developer to configure nomad with TLS integrated with Vault.
I am trying to create my own certs to my own CN, but Nomad seems to expect default CN of “”

This is how I told Vault about the certificates

vault write -field=certificate pki/root/generate/internal \
    common_name="home.local" ttl=87600h > CA_cert.crt


vault write -format=json pki_int/intermediate/generate/internal \
    common_name="home.local Intermediate Authority" \
    ttl="43800h" | jq -r '.data.csr' > pki_intermediate.csr


vault write -format=json pki/root/sign-intermediate \
    csr=@pki_intermediate.csr format=pem_bundle \
    ttl="43800h" | jq -r '.data.certificate' > intermediate.cert.pem


vault write pki_int/roles/home-cluster allowed_domains=home.local \
    allow_subdomains=true max_ttl=86400s require_cn=false generate_lease=true

And this is the error in Nomad logs

Aug 21 02:25:35 home nomad[43310]:     2023-08-21T02:25:35.749+0200 [WARN]  nomad.stats_fetcher: error getting server health: error="rpc error: failed to get conn: tls: failed to verify certificate: x509: certificate is valid for localhost, nomad.home.local, not"

I may be wrong but it seems like Nomad expects the TLS certs to be under and does not accepts anything else.

Am I right? what is going on and how to fix this?

1 Like

Indeed, Nomad needs certificates to have some specific common names, as detailed here : Enable TLS Encryption for Nomad | Nomad | HashiCorp Developer

A server should have the CN server.region.nomad and a client should have client.region.nomad (so with the defaul global region, it’ll be and

But you can add your own custom names as alt_name

1 Like

We have same certificates on all servers and we face same issue. When we disable verify_server_hostname it works. But it’s not safe. It’s just too complicated IMHO.