TLS : SAN validation

Elango_R1 · February 12, 2024, 11:31am

Hello,

I’m using Mongodb Community kubernetes operator and came across a TLS error while starting the server.

I’ve configured CA and Server certificates as secrets. And server certificate includes SAN entires - (*.svc.cluster.local, localhost). As per standard, SAN allows wildcard characters, and if SAN is available, it is preferred over CN of a certificate.

Mongodb-agent container throws the below error:
[2024-02-12T09:31:32.303+0000] [.warn] [src/mongoclientservice/mongoclientservice.go:logCertificateErrorIfNeeded:1241] [09:31:32.303] encountered a certificate issue trying to connect to mongodb-0.mongodb-svc.mongodb.svc.cluster.local:27017 (local=false) via TLS : [09:31:32.303] TLS attempt failed : x509: certificate is valid for *.svc.cluster.local, localhost, not mongodb-0.mongodb-svc.mongodb.svc.cluster.local

When I added SAN entry with *.mongodb-svc.mongodb.svc.cluster.local , it works fine.

But shouldn’t this entry of *.svc.cluster.local sufficient for the validation. Why the value of replica-set and namespace needed in Server certificate SAN entry ?

chris · February 12, 2024, 2:09pm

Wildcard certificates are not recursive. This is expected behaviour.

https://en.wikipedia.org/wiki/Wildcard_certificate

https://datatracker.ietf.org/doc/html/rfc2818#page-5

Names may contain the wildcard
character * which is considered to match any single domain name
component or component fragment. E.g., .a.com matches foo.a.com but
not bar.foo.a.com. f.com matches foo.com but not bar.com.