In https://github.com/basho/riak-python-client/blame/master/riak/transports/pbc/connection.py#L133 the prefix riak@ is added to the SSL certificate host check. Therefore the CN or SAN records of the server certificate need to be riak@<hostname> or riak@<ip_addr>`, whereas it's common practice to issue server certificate for the host-name or ip address of the server. The client behaviour is therefore unexpected. Furthermore, this behaviour is unique to the python and ruby clients and generally completely undocumented in Riak's server documentation.
The test certificate has a CN record of riak@127.0.0.1, which should be changed accordingly.
In https://github.com/basho/riak-python-client/blame/master/riak/transports/pbc/connection.py#L133 the prefix
riak@is added to the SSL certificate host check. Therefore the CN or SAN records of the server certificate need to beriak@<hostname>or riak@<ip_addr>`, whereas it's common practice to issue server certificate for the host-name or ip address of the server. The client behaviour is therefore unexpected. Furthermore, this behaviour is unique to the python and ruby clients and generally completely undocumented in Riak's server documentation.The test certificate has a CN record of
riak@127.0.0.1, which should be changed accordingly.