Hello,
I’m using Mongodb Community kubernetes operator and came across a TLS error while starting the server.
I’ve configured CA and Server certificates as secrets. And server certificate includes SAN entires - (*.svc.cluster.local, localhost). As per standard, SAN allows wildcard characters, and if SAN is available, it is preferred over CN of a certificate.
Mongodb-agent container throws the below error:
[2024-02-12T09:31:32.303+0000] [.warn] [src/mongoclientservice/mongoclientservice.go:logCertificateErrorIfNeeded:1241] [09:31:32.303] encountered a certificate issue trying to connect to mongodb-0.mongodb-svc.mongodb.svc.cluster.local:27017 (local=false) via TLS : [09:31:32.303] TLS attempt failed : x509: certificate is valid for *.svc.cluster.local, localhost, not mongodb-0.mongodb-svc.mongodb.svc.cluster.local
When I added SAN entry with *.mongodb-svc.mongodb.svc.cluster.local , it works fine.
But shouldn’t this entry of *.svc.cluster.local sufficient for the validation. Why the value of replica-set and namespace needed in Server certificate SAN entry ?