Certificate validation failure for CLI

[vasilij-icabbi]

Consul Version: 1.4.4
OS: Ubuntu Minimal 18.04
Cloud: AWS

Hello,
I am trying to add TLS certificates following this tutorial: https://learn.hashicorp.com/consul/advanced/day-1-operations/certificates

It all works fine, I create CA and Server TLS, but when it comes to CLI cert I get following error:

/consul info -http-addr="https://10.0.0.0:8501" -ca-file=/opt/consul/tls/ca/consul-ca.pem -client-cert=/opt/consul/tls/ca/consul-cli.pem -client-key=/opt/consul/tls/consul-cli-key.pem 

Error querying agent: Get https://10.0.0.0:8501/v1/agent/self: x509: certificate is valid for 127.0.0.1, not 10.0.0.0

If I try to change Private IPv4 to either private or public IPv4 DNS I get following error:

Error querying agent: Get https://ip-10-0-0-0.eu-west-1.compute.internal:8501/v1/agent/self: x509: certificate is valid for server.datacenter.consul, localhost, not ip-10-0-0-0.eu-west-1.compute.internal

Could you please help me identify what am I doing wrong?

Thank you.

[vasilij-icabbi]

Forgot to mention that server accepts certificate and works fine it just problem appears using CLI/CURL

[tristan-weil]

Hello @vasilij-icabbi

You will be able to add more IP addresses in the SANs of your certs in a future release: check this merged PR #5602

For now, you'll need to use DNS names and/or fill /etc/hosts if you dont have a DNS servers

[pearkes]

Thanks @tristan-weil I think you're pointing @vasilij-icabbi in the right direction here – hopefully that will resolve the issue. That fix is in 1.5.0 which is available now.

[vasilij-icabbi]

Thank you @pearkes and @tristan-weil . Confirm that issue is solved in Consul 1.5.0. For prior versions I guess viable option is to use OpenSSL or alike to generate certificates with SAN.