Doubt about the TLS certificates

[paulohleal]

Hi,

I don´t know much about certificates but I could not understand why you used "server.dc1.cluster.local" as CN and hosts. Where did you get this URL from? Wasn't it supposed to be the server URL? Something more like consul.$(NAMESPACE).svc.cluster.local where $(NAMESPACE) I should replace with the namespace?

Thanks in advance,

Paulo Leal

[jeroenjacobs79]

Hi,

The reason "server.dc1.cluster.local" is there, is because the "verify_server_hostname" option is enabled in the config.

verify_server_hostname - If set to true, Consul verifies for all outgoing connections that the TLS certificate presented by the servers matches "server.<datacenter>.<domain>" hostname. This implies verify_outgoing. By default, this is false, and Consul does not verify the hostname of the certificate, only that it is signed by a trusted CA. This setting is important to prevent a compromised client from being restarted as a server, and thus being able to perform a MITM attack or to be added as a Raft peer. This is new in 0.5.1.
https://www.consul.io/docs/agent/options.html#verify_server_hostname

The default name of the Consul datacenter is "dc1", the Kubernetes domain is "cluster.local".

Personally, I would include that name as a SAN in my SSL certificate, and not as a CN.

[combatpoodle]

@jeroenjacobs1205 is right on the money.