Problem with haproxy access

Hello!
I am testing 3 nodes cluster of cockroach with haproxy as balancer installed on other server. I successfully created secured cluster with ssl encryption, but I can’t use haproxy, got this error
ERROR: x509: certificate is valid for st-cockroach1.domain.ru, not st-cockroach.domain.ru
Failed running “sql”

Here is a part of my haproxy config:

listen psql
bind :26257
mode tcp
balance roundrobin
option httpchk GET /health?ready=1
server cockroach1 st-cockroach1.domain.ru:26257 check port 8080
server cockroach2 st-cockroach2.domain.ru:26257 check port 8080
server cockroach3 st-cockroach3.domain.ru:26257 check port 8080

Help me please with this case.

It seems like there’e a problem with your certificates st-cockroach1.domain.ru vs not st-cockroach.domain.ru. Who is getting that error? What url are you using to connect to the cluster?

This error getting when I try to access by command:
cockroach sql --certs-dir=certs --host=st-cockroach.domain.ru:26257
There are certificates in folder certs, which have been created on server st-cockroach1 and then moved to server st-front, where haproxy is installed. I tried to access from server st-front.
These certificates have been created on st-cockroach1 by commands:
cockroach cert create-ca --certs-dir=certs --ca-key=cr-keys/ca.key
cockroach cert create-client root --certs-dir=certs --ca-key=cr-keys/ca.key
As a result there are these files in folder certs on st-front
ca.crt
client.root.crt
client.root.key
I need haproxy (on server st-front) to get access to all cockroach nodes and successfully authorized by certificates.

The problem is that the name of your haproxy node does not match the name of the certificate you’re using. You would need to generate a new certificate for that node. You should re-create the certs including the name of the load-balancer. See Step 2.4 here: Deploy CockroachDB On-Premises | CockroachDB Docs

Namely, you should pass the load-balancer’s name (st-cockroach.domain.ru) as an additional argument to cert create-node which you’d use to create the certs on st-cockroach1.

I’ve already tried:

cockroach cert create-node 10.1.18.66 10.1.18.66 st-cockroach1 10.1.18.17 st-front2 st-front2.fqdn --certs-dir=certs-st-front2 --ca-key=cr-keys/ca.key
Here 10.1.18.17 is the server balancer IP. st-cockroach.fqdn - dns name of balancer.
10.1.18.66 first cockroach node IP.
After that I have moved these certs to server balancer and tried to connect, but got error:
cockroach sql --certs-dir=certs-balancer --host=st-cockroach.fqdn:26257

ERROR: x509: certificate is valid for st-cockroach1.fqdn, not st-cockroach.fqdn

How to correctly issue the valid certs?

+1 to @ajwerner, you need something like this cockroach cert create-node roach-0 lb pgbouncer --certs-dir=/tmp/certs/roach-0 --ca-key=/tmp/safe/ca.key

where roach-0 is my cockroach node, lb is fqdn for load balancer in your case you’d include st-cockroach.fqdn and st-cockroach1.fqdn

cockroach cert create-node st-cockroach1.fqdn st-cockroach.fqdn --certs-dir=/tmp/certs/roach-0 --ca-key=/tmp/safe/ca.key

Have a look at how i’m doing it here… docker-examples/example-secure at master · cockroachlabs-field/docker-examples · GitHub