Сluster build error - x509: certificate relies on legacy Common Name field

[binlab]

Error building cluster - x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0

system log:

Jul 29 12:13:24 ip-172-31-31-133 rkt[1486]: [ 2437.262873] vault[6]: 2021-07-29T12:13:24.453Z [INFO]  http: TLS handshake error from 172.31.31.151:56356: remote error: tls: bad certificate
Jul 29 12:13:24 ip-172-31-31-133 rkt[1486]: [ 2436.986806] vault[6]: 2021-07-29T12:13:24.177Z [ERROR] core: failed to retry join raft cluster: retry=2s
Jul 29 12:13:24 ip-172-31-31-133 rkt[1486]: [ 2436.986384] vault[6]: 2021-07-29T12:13:24.177Z [WARN]  core: join attempt failed: error="error during raft bootstrap init call: Put "https://node2.vault.int:8200/v1/sys/storage/raft/bootstrap/challenge": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0"
Jul 29 12:13:24 ip-172-31-31-133 rkt[1486]: [ 2436.981194] vault[6]: 2021-07-29T12:13:24.171Z [INFO]  core: attempting to join possible raft leader node: leader_addr=https://node2.vault.int:8200
Jul 29 12:13:24 ip-172-31-31-133 rkt[1486]: [ 2436.980500] vault[6]: 2021-07-29T12:13:24.170Z [INFO]  core: security barrier not initialized
Jul 29 12:13:24 ip-172-31-31-133 rkt[1486]: [ 2436.979924] vault[6]: 2021-07-29T12:13:24.170Z [WARN]  core: join attempt failed: error="error during raft bootstrap init call: Put "https://node1.vault.int:8200/v1/sys/storage/raft/bootstrap/challenge": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0"
Jul 29 12:13:24 ip-172-31-31-133 rkt[1486]: [ 2436.974437] vault[6]: 2021-07-29T12:13:24.164Z [INFO]  core: attempting to join possible raft leader node: leader_addr=https://node1.vault.int:8200

the error occurs on the latest Vault version 1.7.3, with version 1.4.2 works fine

how to reproduce:

module "vault" {
  source = "github.com/binlab/terraform-aws-vault-ha-raft?ref=v0.1.8"

  cluster_name        = "vault-raft"
  cluster_count       = 3
  node_instance_type  = "t3a.small"
  autounseal          = true
  nat_enabled         = true
  vpc_cidr            = "172.31.31.0/24"

  vpc_public_subnets = [
    "172.31.31.0/28",
    "172.31.31.16/28",
    "172.31.31.32/28",
  ]

  vpc_private_subnets = [
    "172.31.31.128/28",
    "172.31.31.144/28",
    "172.31.31.160/28",
  ]

  ami_image  = "ami-0bb5fc1412bbbb988"
  docker_tag = "1.7.3"
}

the same behavior with latest Vault module code from master where rkt replaced with a Docker

[binlab]

Logs with a latest code from master with a Docker instead of rkt

Jul 29 12:23:22 ip-172-31-31-136.ec2.internal docker[1760]: 2021-07-29T12:23:22.251Z [INFO]  http: TLS handshake error from 172.31.31.168:55606: remote error: tls: bad certificate
Jul 29 12:23:22 ip-172-31-31-136.ec2.internal docker[1760]: 2021-07-29T12:23:22.090Z [INFO]  core: security barrier not initialized
Jul 29 12:23:22 ip-172-31-31-136.ec2.internal docker[1760]: 2021-07-29T12:23:22.044Z [ERROR] core: failed to retry join raft cluster: retry=2s
Jul 29 12:23:22 ip-172-31-31-136.ec2.internal docker[1760]: 2021-07-29T12:23:22.044Z [WARN]  core: join attempt failed: error="error during raft bootstrap init call: Put "https://node2.vault.int:8200/v1/sys/storage/raft/bootstrap/challenge": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0"
Jul 29 12:23:22 ip-172-31-31-136.ec2.internal docker[1760]: 2021-07-29T12:23:22.038Z [INFO]  core: attempting to join possible raft leader node: leader_addr=https://node2.vault.int:8200
Jul 29 12:23:22 ip-172-31-31-136.ec2.internal docker[1760]: 2021-07-29T12:23:22.038Z [INFO]  core: security barrier not initialized
Jul 29 12:23:22 ip-172-31-31-136.ec2.internal docker[1760]: 2021-07-29T12:23:22.038Z [WARN]  core: join attempt failed: error="error during raft bootstrap init call: Put "https://node1.vault.int:8200/v1/sys/storage/raft/bootstrap/challenge": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0"
Jul 29 12:23:22 ip-172-31-31-136.ec2.internal docker[1760]: 2021-07-29T12:23:22.031Z [INFO]  core: attempting to join possible raft leader node: leader_addr=https://node1.vault.int:8200

[binlab]

Starting from Vault version 1.6.0 it moved to Go version 1.15.4

Prior to Go 1.15 TLS verification would fall back to using the Common Name field of a certificate for the hostname. Go 1.15 no longer does that by default and requires that there's a DNS entry in the Subject Alternative Names field. source

from Go 1.15 TLS Common Name field verification are deprecated

X.509 CommonName deprecation
The deprecated, legacy behavior of treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is now disabled by default. It can be temporarily re-enabled by adding the value x509ignoreCN=0 to the GODEBUG environment variable.
Note that if the CommonName is an invalid host name, it's always ignored, regardless of GODEBUG settings. Invalid names include those with any characters other than letters, digits, hyphens and underscores, and those with empty labels or trailing dots. source

as an alternative way to fix this issue can be adding environment variable GODEBUG=x509ignoreCN=0