I'm trying to enroll an intermediate certificate authority with its root certificate authority, I'm using TLS and the CAs run in separated docker containers using the fabric-ca images. If I send the CSR trough the docker network there are no problems, but if I try to send it trough my local network I have this problem: x509: cannot validate certificate for "HOST_IP" because it doesn't contain any IP SANs. I read that the reason for my problem, is that the TLS certificate(s) don't contain IP SANs (IP subject alternative names), this is a field in the TLS certificate that basically says: "The certificate was issued to a host that its IP is: <1.2.3.4>". So, if that is the problem, how I could add this field to my certificate? and if not, what is the problem and how I could resolve it? Thanks and regards!
Asked
Active
Viewed 4,749 times
0
-
1Sending the CSR through one network path or another does not change its content. Are you sure that when sending the CSR through the docker network, it contains a SAN? Anyway, SO is about programming, not system administration. May you find good answers on ServerFault. – Alexandre Fenyo Nov 02 '18 at 15:56
-
I realized that it was just a silly mistake, I was mistakenly naming the csr hostname, thanks for your help! – Yamil Nov 03 '18 at 00:20
1 Answers
0
You can follow the explanation given here with a similar IP SANS issue. There is also detailed explanation of IP SANS issue in HLF mailing List. Also make sure when you are using Fabric CA Client, to generate the certificates, use the server's hostname to request the same. for e.g. fabric-ca-client enroll -d --enrollment.profile tls -c <client configuration file> -u https://admin:adminpw@<server hostname>:7054 --csr.hosts $PEER_HOST. If IP address is given in URL TLS handshake will fail with bad TLS certificate error on the server side and 'certificate does not contain IP SANS' error on the client side as the ca-cert.pem used to perform the handshake with the server contains hostname and not the IP address.
msingh
- 399
- 2
- 15