Recent versions of Go ignore the CommonName (CN) in the cert, and only honour SubjectAltName. However, if that were the problem, the error wouldn't say "certificate signed by unknown authority".
If your URLs are reachable from the Internet, then I suggest you post the real URLs here (in the spirit of the PowerDNS support policy <https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/>) and it could be answered in seconds. If you're not prepared to do that, then all I can do is give you some general pointers. How sure are you that it's "the same certificate"? Have you tried: openssl s_client -connect www.example.com:443 -servername www.example.com openssl s_client -connect cloud.example.com:443 -servername cloud.example.com In each case, copy the section between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" inclusive to a file (say "www.example.com.pem" and "cloud.example.com.pem") Check that the files are exactly identical. diff -u www.example.com.pem cloud.example.com.pem If they are not, decode the contents: openssl x509 -in www.example.com.pem -noout -text openssl x509 -in cloud.example.com.pem -noout -text And if they are the same, look at the full chains returned by your server(s) for both names: openssl s_client -connect www.example.com:443 -servername www.example.com -showcerts openssl s_client -connect cloud.example.com:443 -servername cloud.example.com -showcerts and see what's different between them. Since you're implying that they resolve to two different IP addresses, it could be that one server is returning the intermediate certs properly, and the other is not. -- You received this message because you are subscribed to the Google Groups "Prometheus Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/prometheus-users/51a1b415-a72d-4948-92ec-ae3e225f53cen%40googlegroups.com.
