You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
How does this plugin validate wildcard certificates? The PCF Documentation says the following:
Note: TLS certificates generated for wildcard DNS records only work for a single domain name component or component fragment. For example, a certificate generated for *.DOMAIN.com does not work for *.apps.DOMAIN.com and *.sys.DOMAIN.com. The certificate must have both *.apps.DOMAIN.com and *.sys.DOMAIN.com attributed to it.
This is not how most browsers operate for TLS trust, and the RFC covering wildcard certs states this check is optional, but the cf CLI does enforce this rule. I received an x509 trust error from the Vault CF plugin (its an older version) for a wildcard signed for *.DOMAIN.com by a public CA, but I didn't know if this plugin is explicitly enforcing the single domain name component or is that maybe a golang default?
My concern is now I have to pin the cert in the config, and I'd prefer to just let normal trust rules apply.
The text was updated successfully, but these errors were encountered:
How does this plugin validate wildcard certificates? The PCF Documentation says the following:
This is not how most browsers operate for TLS trust, and the RFC covering wildcard certs states this check is optional, but the
cf
CLI does enforce this rule. I received an x509 trust error from the Vault CF plugin (its an older version) for a wildcard signed for*.DOMAIN.com
by a public CA, but I didn't know if this plugin is explicitly enforcing the single domain name component or is that maybe a golang default?My concern is now I have to pin the cert in the config, and I'd prefer to just let normal trust rules apply.
The text was updated successfully, but these errors were encountered: