After upgrading a system (kubernetes) that uses golang 1.15.0-rc.1, I am stuck on this error message:
"x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0".
The only place I am using common name (that I know of) is when I generate the private key for my service openssl req -new -key certs/foo-bar.pem -subj "/CN=foobar.mydomain.svc" -out certs/foo-bar.csr -config certs/foo-bar_config.txt
.
How can I convert this command to use SANs instead?
The x509 command is a multi purpose certificate utility. It can be used to display certificate information, convert certificates to various forms, sign certificate requests like a "mini CA" or edit certificate trust settings. Since there are a large number of options they will split up into various sections.
I was wondering if can I find out the common name (CN) from the certificate using the Linux or Unix command line option? Yes, you find and extract the common name (CN) from the certificate using openssl command itself. What is the Common Name?
OpenSSL is a powerful toolkit to create and manage certificates. In this post, we will see how to use OpenSSL to create our first certificate. The green lock is a requirement for any modern website.
Save the file and execute the following OpenSSL command, which will generate CSR and KEY file This will create sslcert.csr and private.key in the present working directory. You have to send sslcert.csr to certificate signer authority so they can provide you a certificate with SAN.
As X.509 is a well-known standard for public certificates, we should always use this one. -newkey rsa:4096 tells OpenSSL we want to create a new key file, created with RSA and long 4096 bytes. -keyout key.pem identifies the file that will store the key once we created it.
You may need the -addext
flag.
For example:
openssl req -new -key certs/foo-bar.pem \
-subj "/CN=foobar.mydomain.svc" \
-addext "subjectAltName = DNS:foobar.mydomain.svc" \
-out certs/foo-bar.csr \
-config certs/foo-bar_config.txt
Got the answer from here: https://security.stackexchange.com/questions/74345/provide-subjectaltname-to-openssl-directly-on-the-command-line
Solution
I explained totally.
This solution works for me. At first you must have a CA and then sign your server cert by CA. I create a CA and server cert and finally sign server cert by command bellow.(change your desired -subj and CN)
In your situation you should pass the subjectAltName when you signing server cert in latest command line below.
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca.crt
openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=*.example.com" -out server.csr
openssl x509 -req -extfile <(printf "subjectAltName=DNS:example.com,DNS:www.example.com") -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
After run this command you can use certs (server.crt,servert.key) in kubernetes secret for ingress.
I think this blog post will help you, Know about SAN Certificate and How to Create With OpenSSL. Otherwise you could made what is suggested by the error message, and set GODEBUG="x509ignoreCN=0"
as a environment variable.
I run on redhat 8.4 using environment varialbe, it works for me
export GODEBUG="x509ignoreCN=0"
podman login repo.example.com:5000
Username: registryuser Password: Login Succeeded!
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With