A self-signed certificate works well while the command used to generate it on a ubuntu machine is:
openssl req -x509 -newkey rsa:4096 -keyout private.key -out cert.crt -days 365 -nodes
If the client side uses an IP address instead of the domain name, it would fail.
To make the IP address working, following the instructions from this previous question and answer about failed handshake due to not containing any IP SANs, the /etc/ssl/openssl.cnf
is modified to have the subjectAltName = IP:192.168.2.107
added to the [v3_ca]
section.
This change makes the IP address work well, however the domain name does not work anymore. The error message is:
x509: certificate is not valid for any names, but wanted to match yoursubdomain.yourdomain.com
Another source about SANs basically is suggesting the same without a clear hint how to make both IP address and DNS work at the same time.
How to have both IP address and domain name work together?