Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document Certificate Validation Problem with IP in DN instead of Hostname #400

Closed
gebi opened this issue Feb 27, 2015 · 5 comments
Closed
Milestone

Comments

@gebi
Copy link

gebi commented Feb 27, 2015

Hi,

As most users are not yet familiar with the picky go implementation about IP in DN please document it in https://github.com/elasticsearch/logstash-forwarder/blob/master/README.md#generating-an-ssl-certificate

Something like:
Go (correctly) does not accept IPs in the DN of a certificate as most other implementations do, thus if you see some error message of logstash-forwarder like:

x509: cannot validate certificate for YOUR-IP because it doesn't contain any IP SANs

Please use the hostname of your machine to connect (where the hostname needs to be the DN in the certificate) or include IP SANs in your certificate.

Would save you a lot of support trouble ;)

@jordansissel
Copy link
Contributor

@gebi I've tried this explanation, but I get gripes from (many!) people who do not even have DNS at all in their infrastructure and insist they require IP SANs.

I've given up. Nobody knows how to generate SSL certificates.

I'll update teh readme to include -subj /CN=some.host.name to help folks along who do have DNS, but ultimately self-signed certs probably aren't a great "for production" thing either.

@jordansissel
Copy link
Contributor

Oh, I forgot, this was already done.

openssl req -x509  -batch -nodes -newkey rsa:2048 -keyout lumberjack.key -out lumberjack.crt -subj /CN=logstash.example.com

Is what the readme says right now. Was changed in 0e22bad

@jordansissel
Copy link
Contributor

Unless I've misunderstood what you're saying, I think this information is already in the README.

jordansissel added a commit that referenced this issue Mar 3, 2015
@jordansissel
Copy link
Contributor

#402 should include something I hope solves this.

jordansissel added a commit that referenced this issue Mar 4, 2015
Attempt to satisfy #400

Fixes #402
@jordansissel jordansissel modified the milestone: 0.4.0 Mar 4, 2015
@gebi
Copy link
Author

gebi commented Mar 4, 2015

For people without DNS in their infrastructure and without knowledge of /etc/hosts there is no hope ;). Maybe mention /etc/hosts in the documentation as a fix for infrastructures without DNS?

justmara pushed a commit to justmara/logstash-forwarder that referenced this issue May 28, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants