Hello everyone,
I have an InfluxDB cluster behind Apache HTTPD. HTTPD encrypts traffic between client and HTTPD with a certificate issued by corporate CA. Originally, traffic from HTTPD was proxied using http, but recently I've decided to encrypt it with a self-signed cert. After enabling encryption between InfluxDB cluster nodes, I've added self-signed CA to Apache config. However, if I set SSLProxyCheckPeerName to "on", I get error AH02411. SSLProxyCheckPeerCN is set to "off". Running Curl with the came CA certificate works, so it seems like HTTPD checks CN and SAN differently than Curl.
InluxDB hostname: influxdb-oss-0.example-influxdb-oss.example.svc.cluster.local
Certificate CN is "*.example.svc.cluster.local" and it doesn't match the hostname, but in subjectAltName it has "*.example.svc.cluster.local" and "influxdb-oss-*.example-influxdb-oss.example.svc.cluster.local", which matches the hostname. My environment has multiple InfluxDB instances, so I can't set 1 CN, instead I use subjectAltName.
Here's an excerpt from my HTTPD configuration:
<VirtualHost *:8443>
SSLEngine on
SSLCertificateFile "/usr/local/apache2/conf/server.crt"
SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"
SSLProxyEngine on
SSLProxyVerify require
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName on
SSLProxyCACertificateFile "/usr/local/apache2/conf/influxdb-selfsigned-ca.crt"
<Proxy "balancer://example-influxdb-oss">
BalancerMember "
https://influxdb-oss-0.example-influxdb-oss.example.svc.cluster.local:8086"
</Proxy>
<Location "/ping">
ProxyPass "balancer://example-influxdb-oss/ping"
ProxyPassReverse "balancer://example-influxdb-oss/ping"
</Location>
</VirtualHost>
Is there any way to make my configuration work with hostname matching subjectAltName instead of CN?
Thanks in advance.
