My TLS distribution example – GitHub - rlipscombe/erlang-cluster: Erlang nodes running in a cluster on the nodes in a Kubernetes cluster :) broke when I upgraded from Erlang/OTP 25.3 to 27.3.3.
It’s reporting the following (wrapped for clarity):
CLIENT ALERT: Fatal - Handshake Failure, -
{bad_cert,{hostname_check_failed,
{requested,"10.42.0.216"},{received,[{dNSName,"10.42.0.216"}]}}}
My CSR (I’m using cert-manager
) has subject=/CN=10.42.0.216
and subjectAltName=DNS:10.42.0.216
.
My distribution config looks like this:
% inet_tls_dist.config
[
{server, [
{certfile, "/certs/my/tls-dist.crt"},
{keyfile, "/certs/my/tls-dist.key"},
{verify, verify_peer},
{fail_if_no_peer_cert, true},
{cacertfile, "/certs/ca/ca.crt"},
{secure_renegotiate, true}
]},
{client, [
{certfile, "/certs/my/tls-dist.crt"},
{keyfile, "/certs/my/tls-dist.key"},
{verify, verify_peer},
{cacertfile, "/certs/ca/ca.crt"},
{secure_renegotiate, true}
]}
].
Further investigation: It breaks somewhere between 25.3 and 26.2
What broke? How do I fix it?