Docker Community Forums

Share and learn in the Docker community.

Invalid X509v3 Subject Alternative Name in client bundle

ucp

(Christopher Najewicz) #1

I was trying to write some Go code to access our UCP cluster and noted some weird things when trying to use the client bundle…

panic: x509: cannot parse rfc822Name ""

This panic comes all the way down from Go’s x509 standard library.
Upon examination of the bundle’s cert, I believe the blank email field is the issue, but I am confused as to why it doesn’t include the actual SANs we have assigned to our manager nodes? Note the X509v3 Subject Alternative Name: below:

❯ openssl x509 -in ~/Downloads/ucp-bundle-int/cert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            re:da:c:te:d
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN=swarm-ca
        Validity
            Not Before: Mar  1 14:15:00 2018 GMT
            Not After : Feb 27 14:15:00 2028 GMT
        Subject: C=, ST=, L=, O=Orca: asdfasdfasdfasdfasdf, OU=Client, CN=admin
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    re:dac:ted:
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                re:da:C:t:E:D0
            X509v3 Authority Key Identifier:
                keyid:re:da:C:t:E:D0

            X509v3 Subject Alternative Name:
                email:
    Signature Algorithm: ecdsa-with-SHA256
        re:da:C:t:E:D0

Note I have seen the same thing on ucp latest in another cluster w/ valid SANs

Server Version: ucp/2.2.2
CA Configuration:
    Expiry Duration: 3 months
    Force Rotate: 0
External CAs:
    cfssl: https://10.X.XX.X:12381/api/v1/cfssl/sign
    cfssl: https://10.X.XX.X:12381/api/v1/cfssl/sign
    cfssl: https://10.X.XX.X:12381/api/v1/cfssl/sign