Issue with PD Identity Authentication cert-allowed-cn

This topic has been translated from a Chinese forum by GPT and might contain errors.

Original topic: pd身份认证cert-allowed-cn问题

| username: 月明星稀

This document states that multiple CNs can be configured, but the actual deployment indicates that only one is supported.
[FATAL] [main.go:100] [“create server failed”] [error=“[PD:grpcutil:ErrSecurityConfig]security config error: only supports one CN”] [stack=“main.main\n\t/home/jenkins/agent/workspace/build-common/go/src/\nruntime.main\n\t/usr/local/go/src/runtime/proc.go:250”]

Does anyone know if this cert-allowed-cn is supposed to configure the CN value of the TiKV certificate, or something else?

| username: Anna | Original post link


  • The list of acceptable X.509 common names in the certificate provided by the client. Requests will only be allowed if the provided common name exactly matches one of the entries in the list.
  • Default value: []. This means that client certificate CN checks are disabled by default.
| username: Anna | Original post link

Currently, the cert-allowed-cn configuration item of DM-master can only be set to one value. Therefore, the commonName of all Certificate objects must be set to the same value.

| username: Anna | Original post link

Check this out: 为 DM 开启 TLS | PingCAP 文档中心

| username: redgame | Original post link

The cert-allowed-cn should be configured as the CN value of the host actually using the certificate to ensure that only trusted certificates can communicate with the PD server.