Hello everyone,
I have an InfluxDB cluster behind Apache HTTPD. HTTPD encrypts traffic
between client and HTTPD with a certificate issued by corporate CA.
Originally, traffic from HTTPD was proxied using http, but recently I've
decided to encrypt it with a self-signed cert. After enabling encryption
between InfluxDB cluster nodes, I've added self-signed CA to Apache config.
However, if I set SSLProxyCheckPeerName to "on", I get error AH02411.
SSLProxyCheckPeerCN is set to "off". Running Curl with the came CA
certificate works, so it seems like HTTPD checks CN and SAN differently
than Curl.
InluxDB hostname:
influxdb-oss-0.example-influxdb-oss.example.svc.cluster.local
Certificate CN is "*.example.svc.cluster.local" and it doesn't match the
hostname, but in subjectAltName it has "*.example.svc.cluster.local" and
"influxdb-oss-*.example-influxdb-oss.example.svc.cluster.local", which
matches the hostname. My environment has multiple InfluxDB instances, so I
can't set 1 CN, instead I use subjectAltName.
Here's an excerpt from my HTTPD configuration:
<VirtualHost *:8443>
SSLEngine on
SSLCertificateFile "/usr/local/apache2/conf/server.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"
SSLProxyEngine on
SSLProxyVerify require
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName on
SSLProxyCACertificateFile
"/usr/local/apache2/conf/influxdb-selfsigned-ca.crt"
<Proxy "balancer://example-influxdb-oss">
BalancerMember "
https://influxdb-oss-0.example-influxdb-oss.example.svc.cluster.local:8086";
</Proxy>
<Location "/ping">
ProxyPass "balancer://example-influxdb-oss/ping"
ProxyPassReverse "balancer://example-influxdb-oss/ping"
</Location>
</VirtualHost>
Is there any way to make my configuration work with hostname matching
subjectAltName instead of CN?
Thanks in advance.
