Catch failure for AppendCertsFromPEM #2
Conversation
go1.10 is more strict when parsing names within certificates. The common name needs to be DNS compatible. This is a change in behavior from go1.9 and before. It might make sense to replace this call with the code from @bradfitz from golang/go#23711 (comment)
|
Why guess the problem? Just ParseCertificate and tell the user the actual problem with it. |
|
To be clear, it's not the common name that needs to be DNS compatible. It's subject alternate names that are marked as DNS-based subject alternate names that have to be DNS compatible. Enforcing host names is on by default for Vault's PKI support, but I think we may not be properly verifying this if using a non-DNS-compatible CN before copying that value into SANs. I've opened hashicorp/vault#3918 to track that to ensure that we do. |
|
Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement Learn more about why HashiCorp requires a CLA and what the CLA includes Have you signed the CLA already but the status is still pending? Recheck it. |
go1.10 is more strict when parsing names within certificates.
The common name needs to be DNS compatible. This is a change
in behavior from go1.9 and before.
It might make sense to replace this call with the code from
@bradfitz from golang/go#23711 (comment)