authentication handshake failed: x509: certificate is valid for localhost, 127.0.0.1, kiam-server, not localhost:443

[marcoamorales]

Hello,

As per the documentation, TLS certs are meant to be generated for the server component with the following hosts:

kiam/docs/server.json

Lines 2 to 5 in fad5afc

	"hosts": [
	"kiam-server",
	"127.0.0.1",
	"localhost"

However, when if I setup the TLS certs to contain only those hosts, the health command fails with the following error:

/ # GRPC_GO_LOG_SEVERITY_LEVEL=info GRPC_GO_LOG_VERBOSITY_LEVEL=8 /health --cert=/etc/kiam/tls/tls.crt --key=/etc/kiam/tls/tls.key --ca=/etc/kiam/tls/ca.crt --server-address=localhost:443 --server-
address-refresh=2s --timeout=5s
INFO: 2019/12/27 00:54:59 ccBalancerWrapper: updating state and picker called by balancer: IDLE, 0xc420065200
INFO: 2019/12/27 00:54:59 dialing to target with scheme: ""
INFO: 2019/12/27 00:54:59 could not get resolver for scheme: ""
WARN[0000] error checking health: rpc error: code = Unavailable desc = there is no address available 
INFO: 2019/12/27 00:54:59 balancerWrapper: is pickfirst: false
INFO: 2019/12/27 00:54:59 grpc: failed dns SRV record lookup due to lookup _grpclb._tcp.localhost on 169.254.20.10:53: no such host.
INFO: 2019/12/27 00:54:59 balancerWrapper: got update addr from Notify: [{127.0.0.1:443 <nil>} {[::1]:443 <nil>}]
INFO: 2019/12/27 00:54:59 ccBalancerWrapper: new subconn: [{127.0.0.1:443 0  <nil>}]
INFO: 2019/12/27 00:54:59 ccBalancerWrapper: new subconn: [{[::1]:443 0  <nil>}]
INFO: 2019/12/27 00:54:59 balancerWrapper: handle subconn state change: 0xc4202ea250, CONNECTING
INFO: 2019/12/27 00:54:59 ccBalancerWrapper: updating state and picker called by balancer: CONNECTING, 0xc420065200
INFO: 2019/12/27 00:54:59 balancerWrapper: handle subconn state change: 0xc4202ea2e0, CONNECTING
INFO: 2019/12/27 00:54:59 ccBalancerWrapper: updating state and picker called by balancer: CONNECTING, 0xc420065200
INFO: 2019/12/27 00:54:59 balancerWrapper: handle subconn state change: 0xc4202ea2e0, TRANSIENT_FAILURE
INFO: 2019/12/27 00:54:59 ccBalancerWrapper: updating state and picker called by balancer: CONNECTING, 0xc420065200
INFO: 2019/12/27 00:54:59 balancerWrapper: handle subconn state change: 0xc4202ea2e0, CONNECTING
INFO: 2019/12/27 00:54:59 ccBalancerWrapper: updating state and picker called by balancer: CONNECTING, 0xc420065200
INFO: 2019/12/27 00:54:59 balancerWrapper: handle subconn state change: 0xc4202ea250, TRANSIENT_FAILURE
INFO: 2019/12/27 00:54:59 ccBalancerWrapper: updating state and picker called by balancer: CONNECTING, 0xc420065200
INFO: 2019/12/27 00:54:59 balancerWrapper: handle subconn state change: 0xc4202ea250, CONNECTING
INFO: 2019/12/27 00:54:59 ccBalancerWrapper: updating state and picker called by balancer: CONNECTING, 0xc420065200
WARNING: 2019/12/27 00:54:59 grpc: addrConn.resetTransport failed to create client transport: connection error: desc = "transport: Error while dialing dial tcp [::1]:443: connect: cannot assign requested address"; Reconnecting to {[::1]:443 0  <nil>}
INFO: 2019/12/27 00:54:59 balancerWrapper: handle subconn state change: 0xc4202ea2e0, TRANSIENT_FAILURE
INFO: 2019/12/27 00:54:59 ccBalancerWrapper: updating state and picker called by balancer: CONNECTING, 0xc420065200
WARNING: 2019/12/27 00:54:59 Failed to dial 127.0.0.1:443: connection error: desc = "transport: authentication handshake failed: x509: certificate is valid for localhost, 127.0.0.1, kiam-server, not localhost:443"; please retry.
INFO: 2019/12/27 00:54:59 balancerWrapper: handle subconn state change: 0xc4202ea250, SHUTDOWN
INFO: 2019/12/27 00:54:59 ccBalancerWrapper: updating state and picker called by balancer: TRANSIENT_FAILURE, 0xc420065200

[rhysemmas]

Hi @marcoamorales, which version of Kiam are you running? As of v3.0 the port number in the server address shouldn't cause issues with there not being any port number in the SANs
I believe this is the relevant PR: #86

[marcoamorales]

hey @rhysemmas, I can confirm I'm running v2.7. My bad! I will upgrade and circle back. Thanks!