Common Name mismatch enabling security

Hi,

I’m trying to enable security, using Docker and docker-compose, for a demo environment on my PC.
When I try to run the environment, I get an error on certificate configuration:

cockroachdb-node-01_1  | *
cockroachdb-node-01_1  | * ERROR: cannot load certificates.
cockroachdb-node-01_1  | * Check your certificate settings, set --certs-dir, or use --insecure for insecure clusters.
cockroachdb-node-01_1  | * 
cockroachdb-node-01_1  | * problem using security settings: client/server node certificate has Subject "CN=cockroachdb-node-01", expected "CN=node"
cockroachdb-node-01_1  | *
cockroachdb-node-01_1  | Failed running "start"

How I can change expected CN from node to my own?

I’ve generated my certificate using OpenSSL as follow:

openssl genrsa -out ca.key 4096

openssl req -x509 -new -key ca.key -sha256 -out ca.crt

-----

Country Name (2 letter code) []:**

State or Province Name (full name) []:*****

Locality Name (eg, city) []:******

Organization Name (eg, company) []:****

Organizational Unit Name (eg, section) []:****

Common Name (eg, fully qualified host name) []:*********

Email Address []:****

Create a config file to generate the CSR:

[ req ]
default_bits       = 4096
default_md         = sha512
default_keyfile    = cockroachdb-node-01/cockroachdb-node-01.key
prompt             = no
encrypt_key        = no

# base request
distinguished_name = req_distinguished_name

# extensions
req_extensions     = v3_req

# distinguished_name
[ req_distinguished_name ]
countryName            = "**"                       # C=
stateOrProvinceName    = "******"                  # ST=
localityName           = "*****"   # L=
postalCode             = "****"                    # L/postalcode=
streetAddress          = "******"          # L/street=
organizationName       = "****"           # O=
organizationalUnitName = "****"               # OU=
commonName             = "cockroachdb-node-01"      # CN=
emailAddress           = "***@****.***"   # CN/emailAddress=

[ v3_req ]

Created and sign the CSR:

openssl req -config cockroachdb-node-01.cnf -new -out cockroachdb-node-01.csr
openssl x509 -req -in cockroachdb-node-01.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out cockroachdb-node-01.crt -sha256

The docke.compose YML file is the follow:

version: "3"

services:
   cockroachdb-node-01:
     image: cockroachdb/cockroach
     hostname: cockroachdb-node-01
     command: start --certs-dir=/certs --advertise-addr=cockroachdb-node-01
     volumes:
       - cockroachdb-node-01-vol:/cockroach/cockroach-data
       - certificate-cockroachdb-node-01-vol:/certs
     restart: always
     networks:
        - cockroachdb-net

networks:
  cockroachdb-net:
    driver: bridge
volumes:
  cockroachdb-node-01-vol: {}
  certificate-cockroachdb-node-01-vol:
    driver: local
    driver_opts:
      device: /opt/cockroachdb-node-01
      type: none
      o: bind

When using a single certificate (as opposed to split client/server cert) for a node, the CN must always be set to node.

Please see the docs to create a certificate for CRDB using openssl, especially the warning in the create node certificates section.

Yes, I’ve read the friendly manual and fix the problem :slight_smile:.