TLS : SAN validation


I’m using Mongodb Community kubernetes operator and came across a TLS error while starting the server.

I’ve configured CA and Server certificates as secrets. And server certificate includes SAN entires - (*.svc.cluster.local, localhost). As per standard, SAN allows wildcard characters, and if SAN is available, it is preferred over CN of a certificate.

Mongodb-agent container throws the below error:
[2024-02-12T09:31:32.303+0000] [.warn] [src/mongoclientservice/mongoclientservice.go:logCertificateErrorIfNeeded:1241] [09:31:32.303] encountered a certificate issue trying to connect to mongodb-0.mongodb-svc.mongodb.svc.cluster.local:27017 (local=false) via TLS : [09:31:32.303] TLS attempt failed : x509: certificate is valid for *.svc.cluster.local, localhost, not mongodb-0.mongodb-svc.mongodb.svc.cluster.local

When I added SAN entry with *.mongodb-svc.mongodb.svc.cluster.local , it works fine.

But shouldn’t this entry of *.svc.cluster.local sufficient for the validation. Why the value of replica-set and namespace needed in Server certificate SAN entry ?

Wildcard certificates are not recursive. This is expected behaviour.

Names may contain the wildcard
character * which is considered to match any single domain name
component or component fragment. E.g., matches but
not f
.com matches but not