Pre-7.0, when contacting a remote cluster that is > 4.0 version, the sanInCertificate variable for a remote cluster reference will be set to true.
This is evident from the log message as follows
Since all supported cluster is now >4.0, there was no need to check against said version. The change to remove this check was introduced as part of changeset to
Specifically http://review.couchbase.org/c/goxdcr/+/152288/3/utils/utils.go#b2682, the sanInCertificate that should have been set to true, was mistakenly not being returned as such.
This leads to create messages like the following once a full-encryption secure reference is created (note the SANInCertificate change from <7.0):
Without SANInCertificate being set to true, there can be situations where REST commands come back with errors such as:
The hint is that the error messages asked to "use SANs", where pre 7.0, the SANInCertificate is set to true so this error would have not shown up.
The workaround is to add the environment variable GODEBUG=x509ignoreCN=0, thus why it is not marked a blocker.
Regardless, this needs to be fixed and backported to 7.0.2.
|For Gerrit Dashboard: MB-48016|
|159713,2||MB-48016 - https protocol should ensure sanInCertificate is set||cheshire-cat||goxdcr||Status: MERGED||+2||+1|