Replies: 1 comment
-
|
There is nothing special about Assuming that this is the nats-server acting as the TLS client, then:
I would check carefully to make sure that the name the TLS client is using to connect is the name of the server you expect, and isn't (for example) an IP address. The NATS client libraries have special handling for IP addresses: if they originally connect with a hostname, but learn new connection addresses from the server for reconnect, then when connecting to reconnect and it is an IP address, then it will validate the original hostname instead. Otherwise, I don't think there's special handling for IP addresses. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi team,
We’re seeing an issue with NATS client connectivity due to certificate validation failures. The error is related to mismatches in the Subject Alternative Names (SANs), specifically for domains ending in .security. Example error:
Certificate doesn't match any of the subject alternative names: [server01.domain.security, server01, server02.domain.security, server02, *.domain.security]Despite
server02.domain.securitybeing listed, the client reports a mismatch.A few questions:
Does NATS v2.11.1 have known fixes or changes related to certificate SAN validation?
Is there a way to configure the NATS client (e.g., nats-js.conf) to skip or relax certificate validation for testing purposes?
Are there known issues or special considerations when using .security TLDs with NATS?
Any guidance would be appreciated.
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions