509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

Question

509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

Opened this issue 4 years ago · 1 comments

Command to generate certificate should be:
[lab-user@provision scripts]$ sudo openssl req -newkey rsa:4096 -nodes -sha256 -keyout /nfs/registry/certs/domain.key -x509 -days 365 -out /nfs/registry/certs/domain.crt -subj "/C=US/ST=NorthCarolina/L=Raleigh/O=Red Hat/OU=Marketing/CN=provision.$GUID.dynamic.opentlc.com" -addext "subjectAltName = DNS:provision.$GUID.dynamic.opentlc.com"

The current command is generating a certificate that is failing when we use the mirror openshift:
error: unable to connect to provision.9ldsh.dynamic.opentlc.com:5000/ocp4/openshift4: Get "https://provision.9ldsh.dynamic.opentlc.com:5000/v2/": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

agonzalezrh commented 4 years ago

@hgeaydem