juju client cannot connect to controllers configured with an autocert-dns-name
Bug #1830019 reported by
Martin Hilton
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Triaged
|
Low
|
Unassigned |
Bug Description
If a controller is bootstrapped with a DNS name using --config autocert-dns-name then a client cannot create a secure connection to that server using that name. This seems to be because the client resolves the hostname to an IP address before requesting the https certificate and does not include the original hostname in the certificate request. The server only serves the correct signed certificate if SNI indicates it was requested for the specified hostname, the client therefore never receives a certificate with an authorized chain back to a root CA, and rightly refuses to connect.
To post a comment you must log in.
That seems like we broke something, because I'm pretty sure it used to work in this fashion. I thought that was actually how all of the JAAS controllers were originally set up.