cannot validate certificate for <ip-address> because it doesn't contain any IP SANs

Question

I'm working on a GitLab CI pipeline that will deploy my docker stack. I'm trying to set the $DOCKER_HOST to be tcp://DROPLET_IP:2377, but I'm getting an error saying that my certificate does doesn't contain any IP SANs. I'm testing with a Digital Ocean Droplet, so I haven't set a domain name for my droplet yet.

deploy:
  stage: deploy
  image: docker:stable
  services:
    - docker:dind
  variables:
    DOCKER_HOST: "tcp://$DROPLET_IP:2377"
    DOCKER_TLS_VERIFY: 1
  before_script:
    - mkdir -p ~/.docker
    - echo "$TLS_CA_CERT" > ~/.docker/ca.pem
    - echo "$TLS_CERT" > ~/.docker/cert.pem
    - echo "$TLS_KEY" > ~/.docker/key.pem
  script:
    - docker login -u gitlab-ci-token -p "$CI_JOB_TOKEN" "$CI_REGISTRY"
    - docker info
    - docker stack deploy --with-registry-auth --compose-file=docker-stack.yml mystack

Here's the error I'm getting in the output of my GitLab CI job:

$ docker login -u gitlab-ci-token -p "$CI_JOB_TOKEN" "$CI_REGISTRY"
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
error during connect: Post https://<ip-address>:2377/v1.39/auth: x509: cannot validate certificate for <ip-address> because it doesn't contain any IP SANs

I'm using the following set of commands to generate my certs (ca.pem, server-cert.pem and server-key.pem) that I'm trying to use in my deploy stage described above. I have saved TLS_CA_CERT, TLS_CERT and TLS_KEY to variables that are being used in GitLab CI.

openssl genrsa -aes256 -out ca-key.pem 4096

openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem

openssl genrsa -out server-key.pem 4096

openssl req -subj "/CN=<ip-address>" -sha256 -new -key server-key.pem -out server.csr

echo subjectAltName = IP:<ip-address> >> extfile.cnf

echo extendedKeyUsage = serverAuth >> extfile.cnf

openssl x509 -req -days 365 -sha256 -in server.csr -CA ca.pem -CAkey ca-key.pem \
  -CAcreateserial -out server-cert.pem -extfile extfile.cnf

Answer 1

I see you have included the IP address in the subjectAltName

echo subjectAltName = IP:<ip-address> >> extfile.cnf

Check, as in here, if this is a configuration issue:

I put subjectAltName in the wrong section. Working method: Basically I edited openssl.cnf, in section [v3_ca] I added 'subjectAltName = IP:192.168.2.107'.
Produced new certificate and added to server + client.

You need to make sure your extension is declared in the v3_ca part, as shown here.

Answer 2

As of OpenSSL 1.1.1, providing subjectAltName directly on command line becomes much easier, with the introduction of the -addext flag to openssl req

Example:

export HOST="my.host"
export IP="127.0.0.1"
openssl req -newkey rsa:4096 -nodes -keyout ${HOST}.key -x509 -days 365 -out ${HOST}.crt -addext 'subjectAltName = IP:${IP}' -subj '/C=US/ST=CA/L=SanFrancisco/O=MyCompany/OU=RND/CN=${HOST}/'

Inspired by link