getting no subject alternative name present exception when the csr shows that the SANs are present

Question

I am trying to setup ssl for grpc but no matter what I try I get a no subject alternative name present. I've verified the SANs are in the certificate signing request. The common name and also a SAN are the ip addr. I am trying to connect using the ipAddr. The exception I get is

Caused by: java.security.cert.CertificateException: No subject alternative names present
    at java.base/sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:137)
    at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:96)

The text of my csr follows:

sysadmin@rit5 san]$ openssl req -in my.csr -noout -text
    Certificate Request:
Data:
    Version: 0 (0x0)
    Subject: C=US, ST=TX, L=Austin, O=MYCOMPANY, OU=MYUNIT, CN=172.28.4.89
    Subject Public Key Info:
        Public Key Algorithm: rsaEncryption
            Public-Key: (2048 bit)
            Modulus:
                00:b9:1d:0c:80:ee:b3:20:06:df:6e:f1:04:e5:10:
                54:5d:70:07:fd:68:25:33:12:37:73:98:45:8b:35:
                ba:cf:9b:7c:63:82:0a:e2:16:0d:33:36:10:dd:b5:
                f9:21:da:04:8c:18:15:77:e2:65:72:e8:c9:6e:01:
                dc:47:48:53:ce:45:c9:a9:f1:9d:d0:0f:a7:cb:d5:
                5b:55:eb:b4:38:cb:50:5d:51:c2:bb:65:f6:76:09:
                76:8d:34:0a:c6:35:95:e3:0f:8f:71:be:73:22:78:
                84:26:4f:5e:d3:6a:2c:69:b4:57:e1:fc:37:47:e6:
                56:80:6c:bf:7a:97:78:20:17:22:d0:fc:c6:0c:17:
                0b:dc:23:8f:0e:8a:cb:48:6d:a6:0c:ce:4b:24:54:
                66:82:d0:29:dd:bf:5b:5f:cd:b8:f3:2f:3a:40:09:
                cd:84:6c:2f:74:60:74:e2:3a:13:b9:2e:5c:df:39:
                a3:47:07:96:5a:ed:be:14:71:42:58:6b:53:77:a2:
                af:0a:6d:c3:57:ba:e0:95:ed:55:78:2f:21:cc:af:
                95:e7:de:50:3d:7d:7e:29:4e:ed:bf:9e:14:36:0e:
                71:a3:e4:79:03:12:cd:55:c3:77:00:0f:02:2d:d1:
                e6:2f:a5:b0:3e:62:76:4e:bd:2a:33:56:76:8f:8d:
                2f:b5
            Exponent: 65537 (0x10001)
    Attributes:
    Requested Extensions:
        X509v3 Key Usage: 
            Key Encipherment, Data Encipherment
        X509v3 Extended Key Usage: 
            TLS Web Server Authentication
        X509v3 Subject Alternative Name: 
            DNS:172.28.4.89, DNS:rit5.mycompany.com, DNS:rit5
Signature Algorithm: sha512WithRSAEncryption
     17:18:63:dc:d9:84:90:da:de:b6:8e:82:ce:84:6a:a3:5d:11:
     87:37:2b:e7:56:6e:e5:ea:42:11:4c:8f:66:28:8b:44:4f:0a:
     b9:89:d9:67:86:f4:0f:8a:44:b8:b2:87:62:65:c2:9c:7a:08:
     bf:74:4a:b3:f4:35:82:45:50:7f:3f:ab:c4:97:60:59:99:8c:
     8e:8b:12:0f:3b:dd:2a:6d:a9:be:06:8a:70:e7:e6:08:22:57:
     89:e8:c0:86:f1:26:dc:23:08:aa:ab:2f:07:0d:0b:78:0b:3d:
     d9:ce:ac:92:32:80:81:18:25:17:d4:04:22:e2:f9:f2:96:b1:
     be:76:96:0c:70:39:cf:64:d3:7d:66:b9:f8:b5:20:18:17:66:
     a4:f8:26:a7:02:42:0e:9f:6f:1e:4c:19:1d:d5:19:7b:17:0c:
     64:45:34:d0:12:af:e1:8e:9d:e1:ce:84:49:54:87:78:c9:ba:
     10:f0:65:5b:0e:f4:4f:3f:91:de:cc:46:36:fa:45:ff:0d:7a:
     a4:c7:9b:b7:82:f6:b0:3b:c4:f3:9f:45:94:43:a8:ad:ae:e2:
     e2:a2:66:59:d1:5e:b2:ee:a6:55:90:27:4c:57:c8:04:4b:30:
     bd:02:bf:e5:3e:7c:b1:c6:0f:04:50:f5:96:76:37:bb:ed:7a:
     ba:3c:7c:07

The config file I used to create the csr and key is here

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no

[req_distinguished_name]
C = US
ST = TX
L = Austin
O = MYCOMPANY
OU = MYUNIT
CN = 172.28.4.89

[v3_req]
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = 172.28.4.89
DNS.2 = rit5.mycompany.com
DNS.3 = rit5

To generate the csr I used the following command

openssl req -new -out my.csr -newkey rsa:2048 -nodes -sha512 -keyout my-private-key.pem -config ssl.ext

To self sign it used the following command

 openssl x509 \
        -signkey my-private-key.pem \
        -in my.csr \
        -req -days 365 -out my-public-key-cert.pem

I'm at my wits end. Any help would be appreciated. The certificate is generated without the SANs.

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            c7:af:ad:c2:98:be:7b:c1
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=TX, L=Austin, O=MYCOMPANY, OU=MYUNIT, CN=172.28.4.89
        Validity
            Not Before: Jun  5 20:26:00 2020 GMT
            Not After : Jun  5 20:26:00 2021 GMT
        Subject: C=US, ST=TX, L=Austin, O=MYCOMPANY, OU=MYUNIT, CN=172.28.4.89
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b9:1d:0c:80:ee:b3:20:06:df:6e:f1:04:e5:10:
                    54:5d:70:07:fd:68:25:33:12:37:73:98:45:8b:35:
                    ba:cf:9b:7c:63:82:0a:e2:16:0d:33:36:10:dd:b5:
                    f9:21:da:04:8c:18:15:77:e2:65:72:e8:c9:6e:01:

Answer 1

found the answer in a related post Missing X509 extensions with an openssl-generated certificate

I needed to add -extensions v3_req to the signing request

 openssl x509  -extensions v3_req\ 
        -signkey my-private-key.pem \
        -in my.csr \
        -req -days 365 -out my-public-key-cert.pem  -extfile ssl.ext