On Mon, 2019-06-10 at 20:12 +0000, Michael Wojcik wrote: > > What I cut out was only the base64-encoded certificate. > > Yes. That was what we needed to see. The certificate. Yep, that's my bad. Thanks for the reminder. > As it turns out, you're hitting the OpenSSL restriction on wildcards > with fewer than two domain components, as Viktor explained. I'd > forgotten about that restriction. > > However, I still recommend using a proper X.509v3 server certificate > with one or more SANs. If you're running your own CA using the > openssl utiltity, there are various online tutorials showing how to > generate modern certificates. Just to be clear, this is being seen in our docker-based test environment using a virtual network and the docker resolvers, where we're creating our own certificates so we can easily do both positive and negative testing with things like good/bad hostnames, expired certificates, incorrect chains, testing key rotation, etc. etc. Our Java and Python clients work fine, but the C/C++ clients were failing. These certificates aren't being used "for real". I'll look into enhancing our test environment to address this. Cheers!
