Incorrectly sets subjectAltName addresses as DNS type instead of using IP types
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
charm-haproxy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
When generating selfsigned cert, subjectAltName public/private addresses are DNS entries instead of using IP types.
The resulting certificate will fail to validate on recent curl versions, leading to a confusing error about subjectAltName not matching, even when providing the certificate.
For instance:
$ juju deploy ghost
$ juju deploy haproxy
$ juju relate haproxy ghost
$ juju config haproxy ssl_cert=SELFSIGNED
$ juju config haproxy services='
- service_name: haproxy_service
service_host: "0.0.0.0"
service_port: 443
crts: [DEFAULT]
service_options: [balance leastconn, cookie SRVNAME insert]
server_options: maxconn 100 cookie S{i} check'
$ echo | openssl s_client -connect 10.4.50.188:443 | openssl x509 -text > cacert
$ curl https:/
curl: (51) SSL: no alternative certificate subject name matches target host name '10.4.50.188'
Related branches
- haproxy-team: Pending requested
-
Diff: 11 lines (+2/-2)1 file modifieddata/openssl.cnf (+2/-2)
Move to Fix Released as the latest charm includes the corresponding change