x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0"
出现这个问题的原因是:Go 1.15 版本开始废弃 CommonName,因此推荐使用 SAN 证书。 解决方案: 1.修改指定文件下参数: /etc/pki/tls/openssl.cnf
req_extensions = v3_req # The extensions to add to a certificate request
2.生成证书命令:
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 36500 -key ca.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca.crt
openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=adm-rds-svc.<nameSpaceName>.svc" -out server.csr
#generate subjectAltName is different from normal ssl certificate
openssl x509 -req -extfile <(printf "subjectAltName=DNS:adm-rds-svc.<nameSpaceName>.svc") -days 36500 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt