2

I have a certificate, that has CN=*.some.domain and then alternate names DNS:*.sub1.some.domain, DNS:*.sub2.some.domain (2 more like this).

I provided the certificate to an nginx-ingress in kubernetes, which serves host.some.domain. And it is giving me error:

controller.go:1041] unexpected error validating SSL certificate default/tls-cert for host dwarf30.epiqa.certicon.cz. Reason: x509: certificate is valid for *.sub1.some.domain, *.sub2.some.domain, not host.some.domain

The message notably fails to mention the Common Name, it only lists the alternates.

Is it my misunderstanding how CN and Alternates interact, or is it an issue in the nginx-ingress controller (note: helm insists on installing rather old version 0.13.0 of the container)?

Jan Hudec
  • 265
  • 3
  • 11

1 Answers1

6

Already RFC 2818 which standardizes HTTPS (HTTP over TLS) from 2000 clearly says:

If a subjectAltName extension of type dNSName is present, that MUST be used as the identity.

Since you have DNS names in as Subject Alternative Names the CN will be ignored. Note that use of CN instead of Subject Alternative Names is deprecated for years and some browsers (specifically Chrome) will only look at Subject Alternative Names and fail if no SAN exist even if the CN might match the domain.

Community
  • 1
Steffen Ullrich
  • 12,227
  • 24
  • 37