Erlang distribution over TLS hostname_check_failed

Oleg Tarasenko oltarasenko@REDACTED
Tue Aug 25 09:27:57 CEST 2020


Thanks for the answer Ingela!

Could you also advise, how do I generate certificates for multi-node
environments? E.g. if every node has its own domain name or IP address it
might not be possible to do the hostname check? Or it's expected to do the
custom verification function in every case?

Another question to you (as soon as I was lucky to get a bit of your
attention).

I've noticed that it's not possible to use the same certificates/keys for
both client and server when you're doing {verify, verify_peer}.
E.g. if I have the following config:

[{server,
  [
    {certfile,
"/Users/olegtarasenko/tls-gen/basic/result/client_certificate.pem"},
    {cacertfile,
"/Users/olegtarasenko/tls-gen/basic/result/ca_certificate.pem"},
    {keyfile, "/Users/olegtarasenko/tls-gen/basic/result/client_key.pem"},
    {verify, verify_peer},
   {secure_renegotiate, true}]},
 {client,
  [
   {cacertfile,
"/Users/olegtarasenko/tls-gen/basic/result/ca_certificate.pem"},
   {certfile,
"/Users/olegtarasenko/tls-gen/basic/result/client_certificate.pem"},
   {keyfile, "/Users/olegtarasenko/tls-gen/basic/result/client_key.pem"},
   {verify, verify_peer},
   {secure_renegotiate, true}]}].

** NOTE I am having client_certificate.pem in server config now

The system gives me - {:bad_cert, :invalid_ext_key_usage}

I was tracing it a bit and noticed the following:

# 15:20:21 #PID<0.2496.0> :tls_connection.init/1
# :ssl_certificate.is_valid_extkey_usage([{1, 3, 6, 1, 5, 5, 7, 3, 2}],
:client)

Just in case my certificates are in the attached files.



On Mon, Aug 24, 2020 at 9:32 PM Ingela Andin <ingela.andin@REDACTED> wrote:

> Hi!
>
> If you want to use wildcard certs (that is *.node.com) you must use  customize_hostname_check
> option together with for instance the fun returned
> public_key:pkix_verify_hostname_match_fun(http) otherwise wildcard certs
> will not be accepted.
>
> Regards Ingela Erlang/OTP team - Ericsson AB
>
> Den mån 24 aug. 2020 kl 20:09 skrev Oleg Tarasenko <oltarasenko@REDACTED
> >:
>
>> Hey people,
>>
>> I am getting the error {:bad_cert, :hostname_check_failed} when trying to
>> set up a cluster with different hostnames (I am running a docker network
>> with my own DNS which allows me to have names like one.node.com, etc).
>>
>> My certificates are self-signed and are generated with help of:
>> https://github.com/michaelklishin/tls-gen
>> My configuration is simple and looks like this:
>>
>> [{server,
>>   [
>>     {certfile,
>> "/Users/olegtarasenko/tls-gen/basic/result/server_certificate.pem"},
>>     {cacertfile,
>> "/Users/olegtarasenko/tls-gen/basic/result/ca_certificate.pem"},
>>     {keyfile, "/Users/olegtarasenko/tls-gen/basic/result/server_key.pem"},
>>     {verify, verify_peer},
>>    {secure_renegotiate, true}]},
>>  {client,
>>   [
>>    {cacertfile,
>> "/Users/olegtarasenko/tls-gen/basic/result/ca_certificate.pem"},
>>    {certfile,
>> "/Users/olegtarasenko/tls-gen/basic/result/client_certificate.pem"},
>>    {keyfile, "/Users/olegtarasenko/tls-gen/basic/result/client_key.pem"},
>>    {verify, verify_peer},
>>    {secure_renegotiate, true}]}].
>>
>>
>> This setup works one localhost. When my certificate has CN=127.0.0.1. In
>> this case, I can have nodes defined like app@REDACTED, app2@REDACTED,
>> etc.
>>
>> However, when I am on docker things are different. Now we have hostnames,
>> which looks real. And in this case, I need to understand how to define the
>> hostname in the certificate.
>>
>> E.g. the config above suggests that I have a client and a server. However
>> what if I have 3 or 5 nodes? How do I provide valid certificates for each
>> of them? E.g. as I understand the hostname check will not allow me to reuse
>> the same config?
>>
>> Finally, I am trying to supply CN as *.node.com however, checks are
>> still failing. Could someone advise a solution?
>>
>> Best regards,
>> Oleg
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20200825/80ea04ab/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ca_certificate.pem
Type: application/x-x509-ca-cert
Size: 1196 bytes
Desc: not available
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20200825/80ea04ab/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: server_key.pem
Type: application/x-x509-ca-cert
Size: 1708 bytes
Desc: not available
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20200825/80ea04ab/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: client_certificate.pem
Type: application/x-x509-ca-cert
Size: 1180 bytes
Desc: not available
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20200825/80ea04ab/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: client_key.pem
Type: application/x-x509-ca-cert
Size: 1704 bytes
Desc: not available
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20200825/80ea04ab/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: server_certificate.pem
Type: application/x-x509-ca-cert
Size: 1269 bytes
Desc: not available
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20200825/80ea04ab/attachment-0004.bin>


More information about the erlang-questions mailing list