Erlang SSL clients don't support wildcards in SAN entries in OTP 20, which is what Couchbase Server currently runs against. See this Erlang ticket https://bugs.erlang.org/browse/ERL-542.
This is a problem since using the common name in the subject field for server identity has long since been deprecated (see https://tools.ietf.org/html/rfc2818#section-3.1) and a DNS SAN entry should be used. Additionally in split-DNS (i.e. cloud) environments using DNS SAN entries is now completely the norm, so this issue rises to the level of node-to-node encryption not working with wildcards.
We should patch our Erlang with this pull request to allow wildcards in SAN entries to work.
|For Gerrit Dashboard: MB-37420|
|120213,5||MB-37420: Match wildcards in subjectAltNames (Erlang)||mad-hatter||tlm||Status: MERGED||+2||+1|
|120342,1||Merge remote-tracking branch 'origin/mad-hatter'||master||tlm||Status: MERGED||+2||+1|
|121123,3||MB-37420: Update Erlang version - Windows only||mad-hatter||tlm||Status: MERGED||+2||+1|
|121166,2||MB-37420: Bump erlang on Windows to -cb10 (built from correct branch)||mad-hatter||tlm||Status: MERGED||+2||+1|
|121168,2||MB-37420: Typo in manifest.cmake||mad-hatter||tlm||Status: MERGED||+2||+1|
|121169,1||Merge branch 'mad-hatter'||master||tlm||Status: MERGED||+2||+1|
|129426,1||[WIP] Use customize_hostname_check to match wildcards||master||ns_server||Status: ABANDONED||0||0|