Gyuho Lee

@keyankay SSL config looks good, but you are advertising the default route `0.0.0.0`. Try fixing: ``` ---advertise-client-urls https://0.0.0.0:2379 \ --listen-client-urls https://10.53.70.188:2379 ``` To ``` ---advertise-client-urls https://10.53.70.188:2379 \ --listen-client-urls hhttps://0.0.0.0:2379 ```...

Can you regenerate certs with `TLS Web Server Authentication, TLS Web Client Authentication` for `X509v3 Extended Key Usage`? For our debug, we need a reproducible way.

> I also checked in 3.2.7, the problem exists. I installed etcd 3.1.10 and i do not see the issue. I sense this is an etcd bug How did you...

> Unable to communicate securely with peer: requested domain name does not match the server's certificate. On your second logs, I don't see any `X509v3 Subject Alternative Name:`?

Sorry, couldn't have time to reproduce. In the meantime, could you also try http://play.etcd.io/install with latest etcd release? It explains `cfssl` the same way as etcd tests TLS.

Seems like you don't specify SAN field in your certs?

Hmm, do you see the same behavior with v0.0.4? ref. https://github.com/coreos/zetcd/compare/v0.0.4...v0.0.5

It would be best if you can provide reproducible steps. And also try to heap-profile zetcd.

@matthewmrichter Please enable profile via `zetcd --pprof-addr` flag. And do something like ```bash go tool pprof -seconds=30 http://zetcd-endpoint/debug/pprof/heap go tool pprof ~/go/src/github.com/coreos/etcd/bin/etcd ./pprof/pprof.localhost\:2379.alloc_objects.alloc_space.inuse_objects.inuse_space.001.pb.gz go tool pprof -pdf ~/go/src/github.com/coreos/etcd/bin/etcd ./pprof/pprof.localhost\:2379.alloc_objects.alloc_space.inuse_objects.inuse_space.001.pb.gz >...

I've been seeing this in ec2::DescribeVolumes calls...