TLS distribution breaks with hostname_check_failed ... received dNSName

rlipscombe · April 28, 2025, 8:32am

My TLS distribution example – GitHub - rlipscombe/erlang-cluster: Erlang nodes running in a cluster on the nodes in a Kubernetes cluster :) broke when I upgraded from Erlang/OTP 25.3 to 27.3.3.

It’s reporting the following (wrapped for clarity):

CLIENT ALERT: Fatal - Handshake Failure, - 
  {bad_cert,{hostname_check_failed,
    {requested,"10.42.0.216"},{received,[{dNSName,"10.42.0.216"}]}}}

My CSR (I’m using cert-manager) has subject=/CN=10.42.0.216 and subjectAltName=DNS:10.42.0.216.

My distribution config looks like this:

% inet_tls_dist.config
[
    {server, [
        {certfile, "/certs/my/tls-dist.crt"},
        {keyfile, "/certs/my/tls-dist.key"},
        {verify, verify_peer},
        {fail_if_no_peer_cert, true},
        {cacertfile, "/certs/ca/ca.crt"},
        {secure_renegotiate, true}
    ]},
    {client, [
        {certfile, "/certs/my/tls-dist.crt"},
        {keyfile, "/certs/my/tls-dist.key"},
        {verify, verify_peer},
        {cacertfile, "/certs/ca/ca.crt"},
        {secure_renegotiate, true}
    ]}
].

Further investigation: It breaks somewhere between 25.3 and 26.2

What broke? How do I fix it?

WarpEngineer · April 28, 2025, 10:31am

This is probably related to SNI. Check out this post: hostname_check fails in smtp tls handshake

rlipscombe · April 29, 2025, 8:57am

Because I’m connecting to nodes by IP address, OTP 26 wasn’t happy with the dNSName entry. I fixed it by adding IP = ${MY_POD_IP} to the certificate request.

[req]
req_extensions = req_extensions
distinguished_name = req_distinguished_name

[req_distinguished_name]

[req_extensions]
subjectAltName = @alt_names
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth,clientAuth

[alt_names]
DNS = ${MY_POD_IP}
IP = ${MY_POD_IP}