<div dir="ltr">Thanks for the answer Ingela!<div><br></div><div>Could you also advise, how do I generate certificates for multi-node environments? E.g. if every node has its own domain name or IP address it might not be possible to do the hostname check? Or it's expected to do the custom verification function in every case?</div><div><br></div><div>Another question to you (as soon as I was lucky to get a bit of your attention).</div><div><br></div><div>I've noticed that it's not possible to use the same certificates/keys for both client and server when you're doing {verify, verify_peer}.</div><div>E.g. if I have the following config:</div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div><div>[{server,</div></div><div><div> [</div></div><div><div> {certfile, "/Users/olegtarasenko/tls-gen/basic/result/client_certificate.pem"},</div></div><div><div> {cacertfile, "/Users/olegtarasenko/tls-gen/basic/result/ca_certificate.pem"},</div></div><div><div> {keyfile, "/Users/olegtarasenko/tls-gen/basic/result/client_key.pem"},</div></div><div><div> {verify, verify_peer},</div></div><div><div> {secure_renegotiate, true}]},</div></div><div><div> {client,</div></div><div><div> [</div></div><div><div> {cacertfile, "/Users/olegtarasenko/tls-gen/basic/result/ca_certificate.pem"},</div></div><div><div> {certfile, "/Users/olegtarasenko/tls-gen/basic/result/client_certificate.pem"},</div></div><div><div> {keyfile, "/Users/olegtarasenko/tls-gen/basic/result/client_key.pem"},</div></div><div><div> {verify, verify_peer},</div></div><div><div> {secure_renegotiate, true}]}].</div></div><div><br></div></blockquote><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div>** NOTE I am having client_certificate.pem in server config now</div><div><br></div></blockquote>The system gives me - {:bad_cert, :invalid_ext_key_usage}<div><br></div><div>I was tracing it a bit and noticed the following: </div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div># 15:20:21 #PID<0.2496.0> :tls_connection.init/1</div># :ssl_certificate.is_valid_extkey_usage([{1, 3, 6, 1, 5, 5, 7, 3, 2}], :client)<br><br></blockquote>Just in case my certificates are in the attached files. <br><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><br></blockquote></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Aug 24, 2020 at 9:32 PM Ingela Andin <<a href="mailto:ingela.andin@gmail.com">ingela.andin@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Hi!</div><div><br></div><div>If you want to use wildcard certs (that is *.<a href="http://node.com" target="_blank">node.com</a>) you must use <span>customize_hostname_check option together with for instance the fun returned public_key:pkix_verify_hostname_match_fun(http) otherwise wildcard certs will not be accepted. <br></span></div><div><span><br></span></div></div><div>Regards Ingela Erlang/OTP team - Ericsson AB<br></div><div dir="ltr"><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Den mån 24 aug. 2020 kl 20:09 skrev Oleg Tarasenko <<a href="mailto:oltarasenko@gmail.com" target="_blank">oltarasenko@gmail.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hey people,<div><br></div><div>I am getting the error {:bad_cert, :hostname_check_failed} when trying to set up a cluster with different hostnames (I am running a docker network with my own DNS which allows me to have names like <a href="http://one.node.com" target="_blank">one.node.com</a>, etc).</div><div><br></div><div>My certificates are self-signed and are generated with help of: <a href="https://github.com/michaelklishin/tls-gen" target="_blank">https://github.com/michaelklishin/tls-gen</a></div><div>My configuration is simple and looks like this:</div><div><br></div><blockquote style="margin:0px 0px 0px 40px;border:medium none;padding:0px"><div>[{server,</div><div> [</div><div> {certfile, "/Users/olegtarasenko/tls-gen/basic/result/server_certificate.pem"},</div><div> {cacertfile, "/Users/olegtarasenko/tls-gen/basic/result/ca_certificate.pem"},</div><div> {keyfile, "/Users/olegtarasenko/tls-gen/basic/result/server_key.pem"},</div><div> {verify, verify_peer},</div><div> {secure_renegotiate, true}]},</div><div> {client,</div><div> [</div><div> {cacertfile, "/Users/olegtarasenko/tls-gen/basic/result/ca_certificate.pem"},</div><div> {certfile, "/Users/olegtarasenko/tls-gen/basic/result/client_certificate.pem"},</div><div> {keyfile, "/Users/olegtarasenko/tls-gen/basic/result/client_key.pem"},</div><div> {verify, verify_peer},</div><div> {secure_renegotiate, true}]}].</div></blockquote><div><br></div><div>This setup works one localhost. When my certificate has CN=127.0.0.1. In this case, I can have nodes defined like <a href="mailto:app@127.0.0.1" target="_blank">app@127.0.0.1</a>, <a href="mailto:app2@127.0.0.1" target="_blank">app2@127.0.0.1</a>, etc.</div><div><br></div><div>However, when I am on docker things are different. Now we have hostnames, which looks real. And in this case, I need to understand how to define the hostname in the certificate.</div><div><br></div><div>E.g. the config above suggests that I have a client and a server. However what if I have 3 or 5 nodes? How do I provide valid certificates for each of them? E.g. as I understand the hostname check will not allow me to reuse the same config?</div><div><br></div><div>Finally, I am trying to supply CN as *.<a href="http://node.com" target="_blank">node.com</a> however, checks are still failing. Could someone advise a solution? </div><div><br></div><div>Best regards,</div><div>Oleg</div><div><br></div></div>
</blockquote></div></div></div></div>
</blockquote></div>