This article helps operators understand why certificates used by network Load Balancers and the Gorouter to serve TLS traffic must contain at least one Subject Alternative Name (SAN) after Golang 1.17 is released.

Cause

When Golang 1.15 was released, the authors added a deprecation along with an environment variable to temporarily bypass the feature deprecation around the use of CommonName in x.509 Certificates:
 

"The deprecated, legacy behavior of treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is now disabled by default. It can be temporarily re-enabled by adding the value x509ignoreCN=0 to the GODEBUG environment variable.

Note that if the CommonName is an invalid host name, it's always ignored, regardless of GODEBUG settings. Invalid names include those with any characters other than letters, digits, hyphens and underscores, and those with empty labels or trailing dots."

Source: Go 1.15 Release Notes.

In routing-release 0.209.0, the team bumped the used version of Golang to 1.15.6 with the x509ignoreCN=0 flag to get the Golang upgrade started.

In routing-release 0.220.0, bosh property, golang.x509ignoreCN has been added, which allows end users to toggle the option to temporarily ignore Golang's strict checking for at least one SAN in a TLS certificate by running with the GODEBUG=x509ignoreCN=0 environment variable.

By default, this property is true, and not configurable in TAS, meaning that by default there is no strict checking of the certificates for a SAN (yet).

gorouter TLS certificates

If you have configured the TLS termination point in the Networking configuration section to either HAproxy or Gorouter, then the operator should provide:

• A TLS certificate with a Subject Alternative Name (SAN) that matches the CommonName of the certificate in the Certificates
• Private keys for the Gorouter and HAProxy section as soon as possible.

Infrastructure Load Balancers

If you have configured the TLS termination point in the Networking configuration section to Infrastructure load balancer, the operator should provide the Load Balancer with a TLS certificate that has a Subject Alternative Name (SAN) that matches the CommonName of the certificate as soon as possible.

How to check a certificate for Subject Alternative Names (SANs)

You can check if their certificates contain a SAN by running the following command and looking in the output for values in the X509v3 Subject Alternative Name: field: