GitHub user benj-n closed a discussion: Mandatory to have management service listening on IP on default NIC?
Hi, In the recent changes related to security [1], some certificate validation has been introduced: "Validate incoming cluster service requests are from peer management servers based on the server's certificate dns name" As a matter of fact, those certificates also contain IP addresses in the SAN field. However, it looks like the IP addresses are extracted from the default NIC only [2]. As I understand it, that means, from now on, if we want to use IP for cross-management and management-hosts communication, then it is mandatory to have the management service listening on an IP on the default NIC (the one holding the route to the default gateway). Otherwise, certificates won't be validated. Am I reading this right? Any other people with such deployments (e.g. using an IP from a second interface) ? Did you find a way to circumvent this? Thank you, -Benjamin. [1] [commit/2cf838cc1d19298fe874b6abfcc9bbf88c7c6e49](https://github.com/apache/cloudstack/commit/2cf838cc1d19298fe874b6abfcc9bbf88c7c6e49) [2] [RootCAProvider.java](https://github.com/apache/cloudstack/blob/9f4c8959743d2f53faae6fc5d68e88ddc20e21a3/plugins/ca/root-ca/src/main/java/org/apache/cloudstack/ca/provider/RootCAProvider.java#L378) GitHub link: https://github.com/apache/cloudstack/discussions/9429 ---- This is an automatically sent email for users@cloudstack.apache.org. To unsubscribe, please send an email to: users-unsubscr...@cloudstack.apache.org
