Connection fails to DB backends that have trailing dot in the SAN field of TLS certificate #31628
Description
Describe the bug
We have a DB backend that uses TLS and has a server certificate with a trailing dot in the SAN field of the certificate. The latest version of Vault fails to connect to that server with the following error : error creating database object: error verifying connection: ping failed: failed to connect to host=REDACTED user=vault-uLmTVnVc database=postgres: failed to write startup message (tls: failed to parse certificate from server: x509: SAN dNSName is malformed)
The certificate is valid and used by other clients successfully. This is likely due to this Go bug, fixed in 1.25.3: golang/go#75828
To Reproduce
Steps to reproduce the behavior:
- Create a connection to a DB backend that has a trailing dot in the SAN field of its TLS certificate.
- We see this kind of certificate on the CloudSQL instances of S3NS, a french cloud provider based on GCP.
- See the error when Vault tries to connect to the DB.
Expected behavior
Vault accepts the certificate as valid and connects to the DB host successfully.
Environment:
- Vault Server Version (retrieve with
vault status): 1.21.0 - Vault CLI Version (retrieve with
vault version): irrelevant - Server Operating System/Architecture: Linux amd64
Vault server configuration file(s):
I think it's irrelevant, but can provide it if you really think it's needed.
Additional context
This is very likely a consequence of this Go bug: golang/go#75828
DNS names that finish with dots are perfectly valid, and we can't expect our cloud provider to change to certificates without this trailing dot.
Releasing a version of Vault built with Go 1.25.3 is likely to fix the issue.