Error initializing storage of type postgresql: failed to check for native upsert: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

Problem

TFE failed to startup with below error from ptfe_vault container

Error initializing storage of type postgresql: failed to check for native upsert: x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

Cause

Since TFE release v20170101, internal Vault is upgraded to version 1.7.3, which has Go upgraded to version 1.15

Go 1.15 deprecated the legacy behavior of treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present

Solutions

• Upgrade Postgres server certificate to include SAN extension
• A temporary workaround is to change Postgres sslmode connection parameter from verify-full to verify-ca

Additional Information

• https://datatracker.ietf.org/doc/html/rfc2818
• https://golang.org/doc/go1.15#commonname
• https://github.com/golang/go/issues/39568
• https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html