Remove the reuirement of SAN for root and intermediate certs

[Pothulapati]

So, The step folks replied that it is not advised to use --san with root and intermediate certs. But our CLI uses the x509.verify fn which is used to validate leaf certs not root and intermediate and hence has a strict requirement on verifying hostnames through SAN only. The code path starts here

We should,

• Update the cert generation docs to not have --san with root and issuer cert generation.
• Update the checks, etc where we validate intermediate Cert to not check for Hostname of issuerIdentity() as its not needed there. (we currently do this)

The SAN work we did with webhooks is still useful as they are used as leaf certs.

[jiraguha]

Thanks, @frigus02 and @Pothulapati ! I just spent hours trying to figure out what is:

x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

When launching linkerd check... It was just linkerd brew-cli related.

I moved to the bash installation what is better now. I hope that no one else will fall in the same trap.
Maybe this question was asked but why both cli (brew and bash bin) do not have the same behavior?

[Pothulapati]

@jiraguha Which version of Linkerd was this? This should not happen in the latest linkerd edge.

This happened because brew builds its own binaries with go 1.15 which had this breaking change!

[Pothulapati]

Looks like Homebrew only builds stable binaries and hence the new edge is not present there. https://formulae.brew.sh/formula/linkerd#default
We are doing a stable release i.e 2.9.1 next week probably which should be propogated into homebrew!

@alpeb Do we also push the edge binaries through Homebrew?