Erlang distribution over TLS hostname_check_failed
Oleg Tarasenko
oltarasenko@REDACTED
Mon Aug 24 20:09:32 CEST 2020
Hey people,
I am getting the error {:bad_cert, :hostname_check_failed} when trying to
set up a cluster with different hostnames (I am running a docker network
with my own DNS which allows me to have names like one.node.com, etc).
My certificates are self-signed and are generated with help of:
https://github.com/michaelklishin/tls-gen
My configuration is simple and looks like this:
[{server,
[
{certfile,
"/Users/olegtarasenko/tls-gen/basic/result/server_certificate.pem"},
{cacertfile,
"/Users/olegtarasenko/tls-gen/basic/result/ca_certificate.pem"},
{keyfile, "/Users/olegtarasenko/tls-gen/basic/result/server_key.pem"},
{verify, verify_peer},
{secure_renegotiate, true}]},
{client,
[
{cacertfile,
"/Users/olegtarasenko/tls-gen/basic/result/ca_certificate.pem"},
{certfile,
"/Users/olegtarasenko/tls-gen/basic/result/client_certificate.pem"},
{keyfile, "/Users/olegtarasenko/tls-gen/basic/result/client_key.pem"},
{verify, verify_peer},
{secure_renegotiate, true}]}].
This setup works one localhost. When my certificate has CN=127.0.0.1. In
this case, I can have nodes defined like app@REDACTED, app2@REDACTED, etc.
However, when I am on docker things are different. Now we have hostnames,
which looks real. And in this case, I need to understand how to define the
hostname in the certificate.
E.g. the config above suggests that I have a client and a server. However
what if I have 3 or 5 nodes? How do I provide valid certificates for each
of them? E.g. as I understand the hostname check will not allow me to reuse
the same config?
Finally, I am trying to supply CN as *.node.com however, checks are still
failing. Could someone advise a solution?
Best regards,
Oleg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20200824/eaffbfa5/attachment.htm>
More information about the erlang-questions
mailing list