etcd: Peer certificate with wildcard hostname not working

Running 3 CentOS 7.4 nodes with etcd 3.2.11-1.el7. I am able to generate the CA, server, client and peer certs per https://coreos.com/os/docs/latest/generate-self-signed-certificates.html. I can confirm the server and client certs are definitely working. However, my nodes are unable to form successful peer connections with each others on startup.

I generated the peer cert with these param:

export ADDRESS="*.mydomain.com"
export NAME=peer
echo '{"CN":"'$NAME'","hosts":[""],"key":{"algo":"rsa","size":2048}}' \
     | cfssl gencert -config=ca-config.json -ca=ca.pem -ca-key=ca-key.pem -hostname="$ADDRESS" - \
     | cfssljson -bare $NAME

Peer settings in etcd.conf:

ETCD_PEER_CERT_FILE="/etc/etcd/tls/peer.pem"
ETCD_PEER_KEY_FILE="/etc/etcd/tls/peer-key.pem"
ETCD_PEER_CLIENT_CERT_AUTH="true"
ETCD_PEER_TRUSTED_CA_FILE="/etc/etcd/tls/ca.pem"
ETCD_PEER_AUTO_TLS="false"

When I start the nodes, I see these errors being logged:

Feb 02 16:41:48 kube-etcd-01.mydomain.com etcd[12322]: b7e8b1c8346e3d56 [logterm: 1, index: 3] sent MsgVote request to 78886c6b59167b9 at term 130
Feb 02 16:41:48 kube-etcd-01.mydomain.com etcd[12322]: b7e8b1c8346e3d56 [logterm: 1, index: 3] sent MsgVote request to a421b19894562278 at term 130
Feb 02 16:41:48 kube-etcd-01.mydomain.com etcd[12322]: rejected connection from "10.1.130.156:54950" (error "remote error: tls: bad certificate", ServerName "")
Feb 02 16:41:48 kube-etcd-01.mydomain.com etcd[12322]: rejected connection from "10.1.130.156:54956" (error "remote error: tls: bad certificate", ServerName "")
Feb 02 16:41:48 kube-etcd-01.mydomain.com etcd[12322]: rejected connection from "10.1.130.156:54958" (error "remote error: tls: bad certificate", ServerName "")
Feb 02 16:41:48 kube-etcd-01.mydomain.com etcd[12322]: rejected connection from "10.1.130.156:54964" (error "remote error: tls: bad certificate", ServerName "")

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 22 (13 by maintainers)

Most upvoted comments

would you be able to provide working cluster config for certificate with SAN=*.example.com ? I tried several config combinations, but always getting: rejected connection from “10.99.4.2:36668” (error “remote error: tls: bad certificate”, ServerName “”) Jan 02 14:29:54 spvault01 etcd[31837]: failed to dial c2ef3ff524aff825 on stream MsgApp v2 (x509: cannot validate certificate for 10.99.4.2 because it doesn’t contain any IP SANs) etcd Version: 3.3.10 Git SHA: 27fc7e2 Go Version: go1.10.4 Go OS/Arch: linux/amd64

+1
petersutty on Jan 2, 2019
Read more comments on GitHub
← etcd: panic: tocommit(138789) is out of range [lastIndex(0)]
etcd: rafthttp: request cluster ID mismatch (got a want b) after usage of ETCD_FORCE_NEW_CLUSTER  →