-
Notifications
You must be signed in to change notification settings - Fork 9.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
After updating certificates of existing etcd nodes from ip in san to Dns we are getting error #15917
Comments
Hi @Singh02306 - Thanks for raising this question. For us to investigate any further can you please provide:
I note there is some related discussion for issues around subject alternative names here which might be of interest #8603. |
Hi @jmhbnz etcd 3.4.13 key-file: /certs/etcd1.key client-cert-auth: true trusted-ca-file: /certs/hCA.crt auto-tls: false peer-transport-security: cert-file: /certs/etcd1.pem key-file: /certs/etcd1.key trusted-ca-file: /certs/hCA.crt auto-tls: false_ my old config was like below: Error: x509: cannot validate certificate for 10.0.219.57 because it doesn't contain any IP SANs"} |
same config in other two nodes as well just the location and ip/DNS change..... |
Hi @Singh02306 - Thanks for providing some of the information, can you also please provide:
You can redact some fields if necessary. Additionally - this is a tangent but the release of etcd you are running is three years old. Many bugs and security vulnerabilities have been addressed in later versions of etcd, you should update as soon as possible. |
Hi @jmhbnz , updated the etcd version to 3.5.0 still same error....sorry certificate contents i won't be able to update here. |
Thanks for the update @Singh02306, please try the latest 3.5.x release. For the certificate, I'm not asking you post the whole thing, you can convert it to text with |
hi @jmhbnz , contents of the cert: X509v3 extensions: |
Thanks @Singh02306 - You mention updating to |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed after 21 days if no further activity occurs. Thank you for your contributions. |
What would you like to be added?
We recently updated our certificate for etcd members and new certificate doesn't caontain ip in San, while starting etcd nodes error is coming that certificate doesn't have ip San.
If we change data directory and then start the nodes with certs cluster is coming up fine.
Why is this needed?
How do we make etcd work in this scenario.
The text was updated successfully, but these errors were encountered: