Customer took the following steps:
Create Cloudify manager (non-SSL)
Create a CSR for the manager, in the subjectAlternativeNames section include:
Get that CSR signed by a CA
Install the certificate and key into the cloudify manager (/etc/cloudify/ssl/external_*.cer)
Enable SSL on the cloudify manager (cfy ssl enable)
At this stage, you won't be able to connect to the cloudify manager without --skip-validation.
Create a profile with the CA certificate as the rest_public_certificate
Note that this fails as "the rest_public_certificate does not match the server's certificate"
The problem seems to have gone away when the ipaddress Python package was added to the CLI's virtualenv.
add steps to reproduce
Having trouble reproducing it. Even without ipaddress installed, I'm able to use SSL with a cert that has SAN.
I'll contact the originating customer to find out what I'm missing.
Can't reproduce this.
Was able to reproduce this after customer's clarification:
1. Cert CNF file has both a DNS and an IP address
2. "cfy profiles use" is provided with the IP address
Apparently this problem has to do with: https://github.com/shazow/urllib3/blob/master/urllib3/packages/ssl_match_hostname/_implementation.py#L9