Backend DevelopmentGolangWhy am I encountering the \'failed to connect: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0\' error w
Error: Certificate Field Discrepancy in Go TLS Connection
When attempting to establish a TLS connection to a MongoDB server with Go, you may encounter the following error:
failed to connect: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0
Cause:
This error occurs when the server's TLS certificate relies on the legacy Common Name (CN) field for identification, but Go's runtime defaults to using Subject Alternative Names (SANs) for TLS connections.
Solution:
There are two main approaches to resolving this issue:
1. Utilize SANs in the Server Certificate:
- Regenerate the server certificate with SANs that match the hostnames or IP addresses used to connect to the server.
- This can be achieved using tools like OpenSSL or third-party certificate authorities.
2. Disable CN Matching Temporarily:
If you cannot regenerate the server certificate immediately, you can temporarily disable CN matching by setting the environment variable:
GODEBUG=x509ignoreCN=0
However, this is not a long-term solution and should be used only to establish connections temporarily.
Code Implementation:
If you choose to fix the issue in your Go code, ensure that the certificate you load contains SANs that match the hostnames used during the connection. Here's an updated version of the code snippet you provided:
<code class="go">const CONFIG_DB_CA = "/etc/ca-files/new-mongo.ca.crt"
func main() {
cer, err := tls.LoadX509KeyPair("/mongo-server.crt", "/mongo-server.key")
if err != nil {
log.Println(err)
return
}
roots := x509.NewCertPool()
ca, err := ioutil.ReadFile(CONFIG_DB_CA)
if err != nil {
fmt.Printf("Failed to read or open CA File: %s.\n", CONFIG_DB_CA)
return
}
roots.AppendCertsFromPEM(ca)
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cer},
RootCAs: roots,
VerifyPeerCertificate: func(rawCerts [][]*x509.Certificate) error {
for _, certs := range rawCerts {
for _, cert := range certs {
if len(cert.Subject.CommonName) > 0 {
continue
}
for _, dns := range cert.DNSNames {
if dns == "customhost" || dns == "customhost:port" {
return nil
}
}
return errors.New("certificate does not contain a SAN for the host")
}
}
return errors.New("no valid certificate found")
},
}
conn, err := tls.Dial("tcp", "customhost:port", tlsConfig)
if err != nil {
fmt.Printf("failed to connect: %v.\n", err)
return
}
err = conn.VerifyHostname("customhost")
if err != nil {
panic("Hostname doesn't match with certificate: " + err.Error())
}
for i, cert := range conn.ConnectionState().PeerCertificates {
prefix := fmt.Sprintf("CERT%d::", i+1)
fmt.Printf("%sIssuer: %s\n", prefix, cert.Issuer)
fmt.Printf("%sExpiry: %v\n", prefix, cert.NotAfter.Format(time.RFC850))
fmt.Printf("%sDNSNames: %v\n\n", prefix, cert.DNSNames)
}
fmt.Printf("Success!")
}</code>
This updated code uses a custom VerifyPeerCertificate function to verify that the certificate contains either a CN that matches the hostname or a SAN that matches the hostname. If a suitable certificate is found, the connection will succeed.
The above is the detailed content of Why am I encountering the \'failed to connect: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0\' error w. For more information, please follow other related articles on the PHP Chinese website!
Learn Go String Manipulation: Working with the 'strings' PackageMay 09, 2025 am 12:07 AMGo's "strings" package provides rich features to make string operation efficient and simple. 1) Use strings.Contains() to check substrings. 2) strings.Split() can be used to parse data, but it should be used with caution to avoid performance problems. 3) strings.Join() is suitable for formatting strings, but for small datasets, looping = is more efficient. 4) For large strings, it is more efficient to build strings using strings.Builder.
Go: String Manipulation with the Standard 'strings' PackageMay 09, 2025 am 12:07 AMGo uses the "strings" package for string operations. 1) Use strings.Join function to splice strings. 2) Use the strings.Contains function to find substrings. 3) Use the strings.Replace function to replace strings. These functions are efficient and easy to use and are suitable for various string processing tasks.
Mastering Byte Slice Manipulation with Go's 'bytes' Package: A Practical GuideMay 09, 2025 am 12:02 AMThebytespackageinGoisessentialforefficientbyteslicemanipulation,offeringfunctionslikeContains,Index,andReplaceforsearchingandmodifyingbinarydata.Itenhancesperformanceandcodereadability,makingitavitaltoolforhandlingbinarydata,networkprotocols,andfileI
Learn Go Binary Encoding/Decoding: Working with the 'encoding/binary' PackageMay 08, 2025 am 12:13 AMGo uses the "encoding/binary" package for binary encoding and decoding. 1) This package provides binary.Write and binary.Read functions for writing and reading data. 2) Pay attention to choosing the correct endian (such as BigEndian or LittleEndian). 3) Data alignment and error handling are also key to ensure the correctness and performance of the data.
Go: Byte Slice Manipulation with the Standard 'bytes' PackageMay 08, 2025 am 12:09 AMThe"bytes"packageinGooffersefficientfunctionsformanipulatingbyteslices.1)Usebytes.Joinforconcatenatingslices,2)bytes.Bufferforincrementalwriting,3)bytes.Indexorbytes.IndexByteforsearching,4)bytes.Readerforreadinginchunks,and5)bytes.SplitNor
Go encoding/binary package: Optimizing performance for binary operationsMay 08, 2025 am 12:06 AMTheencoding/binarypackageinGoiseffectiveforoptimizingbinaryoperationsduetoitssupportforendiannessandefficientdatahandling.Toenhanceperformance:1)Usebinary.NativeEndianfornativeendiannesstoavoidbyteswapping.2)BatchReadandWriteoperationstoreduceI/Oover
Go bytes package: short reference and tipsMay 08, 2025 am 12:05 AMGo's bytes package is mainly used to efficiently process byte slices. 1) Using bytes.Buffer can efficiently perform string splicing to avoid unnecessary memory allocation. 2) The bytes.Equal function is used to quickly compare byte slices. 3) The bytes.Index, bytes.Split and bytes.ReplaceAll functions can be used to search and manipulate byte slices, but performance issues need to be paid attention to.
Go bytes package: practical examples for byte slice manipulationMay 08, 2025 am 12:01 AMThe byte package provides a variety of functions to efficiently process byte slices. 1) Use bytes.Contains to check the byte sequence. 2) Use bytes.Split to split byte slices. 3) Replace the byte sequence bytes.Replace. 4) Use bytes.Join to connect multiple byte slices. 5) Use bytes.Buffer to build data. 6) Combined bytes.Map for error processing and data verification.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
WebStorm Mac version
Useful JavaScript development tools
SublimeText3 English version
Recommended: Win version, supports code prompts!
Dreamweaver CS6
Visual web development tools
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
SublimeText3 Chinese version
Chinese version, very easy to use
