Getting the error "cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs" when the ClientAuth option is set to VerifyClientCertIfGiven in the server's TLS configuration

[ruchakulkarni11]

How can I make the client certificate optional when using gnmic with a gRPC server that has TLS enabled and the ClientAuth option set to VerifyClientCertIfGiven?

Currently, when I don't provide a client certificate, I encounter the following error: Err: connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs".

However, the connection works fine when I provide a certificate or use the --skip-verify option with gnmic.

Is it necessary to use the --skip-verify option in this case if the client does not send a certificate, or is there another solution for making the certificate optional while avoiding this error?

[karimra]

--skip-verify has nothing to do with the client certificate. It simply instructs the client to not verify the server certificate.

Currently, when I don't provide a client certificate, I encounter the following error: Err: connection error: desc = "transport: authentication handshake failed: tls: failed to verify certificate: x509: cannot validate certificate for x.x.x.x because it doesn't contain any IP SANs".

Where do you see this error ? client side or server side?

However, the connection works fine when I provide a certificate or use the --skip-verify option with gnmic.

How did you provide a certificate to gNMIc in this case ?

Like always, if you share the commands you used with the outcome of each one it's much easier to understand what you tested.