Info
hi, I create the pem with SAN by the follows steps:
1. sudo openssl req -new -key myserver.key -out myserver_san_ip.csr -subj "/C=AU/ST=NSW/O=test/CN=x509server/emailAddress=user@domain.com"
2. sudo openssl x509 -req -days 3650 -in myserver_san_ip.csr -CA ca.crt -CAkey ca.key -set_serial 01 -extensions v3_req -extfile a.txt -out myserver_san_ip.crt
a.txt 's content is :
[v3_req]
basicConstraints = CA:TRUE
subjectAltName = IP:10.154.10.39
then use :" openssl x509 -text -noout -in myserver_san_ip.crt" to check the SAN field.see
3. sudo sh -c "cat myserver.key myserver_san_ip.crt > myserver_san_ip.pem"
with this new pem file, I restarted mongod server
then try to connect with mongo shell : mongo --host 10.154.10.39 --ssl --sslCAFile ca.pem --sslPEMKeyFile myclient.pem
but still get the error :
2018-02-01T03:56:53.109+0800 E NETWORK [thread1] The server certificate does not match the host name. Hostname: 10.154.10.39 does not match SAN(s):
2018-02-01T03:56:53.110+0800 E QUERY [thread1] Error: socket exception [CONNECT_ERROR] for The server certificate does not match the host name. Hostname: 10.154.10.39 does not match SAN(s): :
connect@src/mongo/shell/mongo.js:237:13
@(connect):1:6
exception: connect failed
Top User Comments
winnie_quest commented on Mon, 5 Feb 2018 02:43:12 +0000:
Got it, thanks Mark
mark.agarunov commented on Fri, 2 Feb 2018 18:02:15 +0000:
Hello winnie_quest,
Thank you for the report. Looking over this, I believe this describes the same behavior detailed in SERVER-24591, to support IP SAN fields in SSL certificates so I've closed this ticket as a duplicate. Please watch SERVER-24591 for updates on this issue.
Thanks,
Mark
