Cannot validate certificate for 10.11.12.123 because it doesn't contain any IP SANs

Hello everybody,

I am trying to install the sensu backend using the official puppet module.

While the sensu backend is being installed without problems I can not log in using sensuctl:

[root@test~]# sensuctl configure
? Authentication method: username/password
? Sensu Backend URL: https://10.11.12.123:8080
? Namespace: default
? Preferred output format: json
? Username: admin
? Password: ****************

Error: unable to authenticate with error: Get https://10.11.12.123:8080/auth: x509: cannot validate certificate for 10.11.12.123 because it doesn't contain any IP SANs

Maybe someone else can jump in as well as I haven’t seen this /exact/ issue, but it seems like a typical SSL chain validation issue.

It’s uncommon to use an IP address as a common name (CN), but it can be done. If your certificate was issued with a CN of the IP I think you should be ok.

It looks like Sensuctl isn’t trusting the certificate you have installed on your sensu-backend. I suspect this issue would go away if you add the certificate to your certificate authority (CA) bundle / trust bundle. If you self-signed you’ll add the certificate itself. If you have a private CA, you can add your CA public cert and/or any intermediate certificates to your CA bundle and this should also work.

Depending on your distro/platform, there are different ways to add a certificate to your CA bundle / trust bundle.

If that doesn’t work, then possibly there’s something slightly different with the way that Go handles certificates with a IP address in the CN instead of a fqdn. In that case you can regen your certificate with an fqdn and add in IP SANs, self-sign or private sign, then add the self-signed cert to your CA bundle (or add the private CA pubcert to your CA bundle) and that should fix it.

In our cluster we have private CA signed certs with the fqdn, and all the nodes as IP SAN entries in the cert, added the our CA pubcert to the bundle on each.

Hope that helps.

Indeed, this appears to be golang tls implementation being very very strict about what a valid ssl cert is.
I’m seeing similar issue reports from other golang based services.

@ahoiroman ,
If you are using private certificate infrastructure, its possible to generate a cert that will work, by providing the ip address as an alternate name. Sensu docs has some example instructions on how to do this using the cfssl tool using a private CA.
Ref:
https://docs.sensu.io/sensu-go/latest/operations/deploy-sensu/generate-certificates/

If you follow those instructions, you generate certs with an " X509v3 Subject Alternative Name: ’ extension that contains both alternative DNS and IP Address hostnames that are separate from the common name.

If you can’t reissue the cert such that the IP addresse is not in the SAN extension of the cert to get sensuctl working in this scenario, you can you the --insecure-skip-tls-verify option to sensuctl configure which will keep the connection encrypted but won’t verify the cert against your CA.