I Have the following scenario:
A Postgres docker container deployed with verify full ssl on a cloud VM.
In the same Host via docker network, I have an API that connects to that database (This api will call the postgres host: "postgres" because that's how is defined in the docker network).
I also have the demand to open that postgres database to external connection (via the server's IP).
However, the Self Signed Certificate used the CN='postgres', making external connections fail because the "hostname" isnt "postgres" but the IP for that VM.
How to approach this scenario? Is it possible to have more than one CA for the same postgres instance?
EDIT: Here's how I generated the Certificates:
CA (root): openssl req -nodes -new -x509 -keyout server.key -out server.crt -subj '/C=BR/ST=SP/L=SP/O=postgres/CN=postgres
Ext file content: echo "subjectAltName=DNS:postgres,IP:10.40.2.5" >> extfile.cnf
Client cert:
openssl genrsa -des3 -out client/postgresql.key 2048
openssl rsa -in client/postgresql.key -out client/postgresql.key
openssl req -new -key client/postgresql.key -out client/postgresql.csr -subj '/C=BR/ST=SP/L=SP/O=postgres/CN=postgres'
openssl x509 -req -in client/postgresql.csr -CA root.crt -CAkey server.key -out client/postgresql.crt -extfile extfile.cnf -CAcreateserial
PGA conf line : hostssl all all all cert clientcert=verify-full
You added the SAN to the client cert, which doesn't make sense. It is the server, not the client, which needs to have the SAN.
You also seem to be using the same cert as both the server cert and the CA cert (although your given list of commands is inaccurate/incomplete, so I can't be sure). This is a half-assed way of doing things. I don't know if it is even possible to add a SAN to a CA. You should make a CA, and then use it to sign both the server cert and the client cert. In this way, you will have no difficulty adding the SAN to the server cert and using it (which I just verified, but I had to give the different certs different CN, you use an identical CN for two certs).