Add note about IP address as CN not supported for Gitaly TLS

Signed-off-by: Balasankar "Balu" C <balasankar@gitlab.com>

Add note about IP address as CN not supported for Gitaly TLS
Signed-off-by: Balasankar "Balu" C <balasankar@gitlab.com>
4d980ec1 · Balasankar "Balu" C · e56c7cdc · 4d980ec1
Commit 4d980ec1 authored Sep 30, 2019 by Balasankar "Balu" C
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

doc/administration/gitaly/index.md doc/administration/gitaly/index.md +8 -0

No files found.
--- a/doc/administration/gitaly/index.md
+++ b/doc/administration/gitaly/index.md
@@ -377,6 +377,14 @@ The certificate to be used needs to be installed on all Gitaly nodes and on all
 client nodes that communicate with it following the procedure described in
 [GitLab custom certificate configuration](https://docs.gitlab.com/omnibus/settings/ssl.html#install-custom-public-certificates).
+NOTE: **Note**
+The self-signed certificate must specify the address you use to access the
+Gitaly server. If you are addressing the Gitaly server by a hostname, you can
+either use the Common Name field for this, or add it as a Subject Alternative
+Name. If you are addressing the Gitaly server by its IP address, you must add it
+as a Subject Alternative Name to the certificate.
+[gRPC does not support using an IP address as Common Name in a certificate](https://github.com/grpc/grpc/issues/2691).
 NOTE: **Note:**
 It is possible to configure Gitaly servers with both an
 unencrypted listening address `listen_addr` and an encrypted listening