Hostname/IP does not match certificate's altnames: Cert does not contain a DNS name

geelmijePRO

11 days ago

Hello,

I'm currently trying to use tls/ssl and tailscale to make my MongoDB database more secure.

First i used tls/ssl from this deployment:

https://github.com/kovalromank/mongo-ssl

This worked using tls/ssl for connecting to the database by creating a client.pem using openssl

Then i used the templace for tailscale to make a virtual private network

Tailscale Subnet Router to use in my deployment.

Connecting using only the Tailscale after deleting my public network works.

When i try to combine the two it says this: Hostname/IP does not match certificate's altnames: Cert does not contain a DNS name

I've tried to use a .cnf file with CN = mongodb.railway.internal and also for DNS.1 but it seems that the SAN is incorrect. I've also tried using a san.txt to enforce the san to be that of the deployment but that also didnt seem to help.

I can however connect with only the root.crt and use tlsAllowInvalidHostnames but im worried that this is not secure enough.

How do i regenerate the certs for this deployment to be able to use tls/ssl with my tailscale setup?

Any support or suggestions are valuable,

Geelmije

I had already made a global post but did not get a reply

$40 Bounty

2 Replies

brodyEMPLOYEE

10 days ago

This thread has been marked as public for community involvement, as it does not contain any sensitive or personal information. Any further activity in this thread will be visible to everyone.

Status changed to Open brody • 10 days ago

brodyEMPLOYEE

10 days ago

Hello,

I've pushed this thread to the bounty program and increased the bounty!

Best,
Brody

testuser123PRO

10 days ago

Your MongoDB client is checking the server’s certificate and the hostname you’re connecting to (over Tailscale) isn’t listed in the cert’s SAN. So the TLS handshake fails unless you use tlsAllowInvalidHostnames (which is less secure and prolly not what you want)

In essence, you need to regenerate your MongoDB server certificate so that the SAN includes the exact hostname or IP you use over Tailscale (e.g. mongodb.railway.internal, or the Tailscale IP, or whatever DNS name you use to connect).

Try the following steps:

Create a config file (e.g. mongo.cnf) with the correct SANs, for example:
[req]

distinguished_name = req_distinguished_name

req_extensions = v3_req

prompt = no

[req_distinguished_name]

CN = mongodb.railway.internal

[v3_req]

subjectAltName = @alt_names

[alt_names]

DNS.1 = mongodb.railway.internal

DNS.2 = <any-other-dns-you-use>

IP.1 = <tailscale-ip>

Then generate a new key and CSR:
openssl req -new -nodes -out mongo.csr -newkey rsa:2048 -keyout mongo.key -config mongo.cnf

Now sign the cert (self-signed or with your CA), making sure to include the SAN:
openssl x509 -req -in mongo.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out mongo.crt -days 365 -sha256 -extfile mongo.cnf -extensions v3_req

Then just use mongo.crt and mongo.key for your MongoDB server, and distribute the CA cert to your clients.