[Feat/bug] TLS config, allow to define x509.VerifyOptions.KeyUsages

[k0ste]

Proposal

Since this: Ending TLS Client Authentication Certificate Support in 2026

---

• LE removed "TLS Client Authentication EKU" (this is just some field)
• Modern Go strictly enforces that if a specific usage is requested in VerifyOptions, the certificate must have it.

Please add to AM option, with that administrator can disable check for "X509v3 Extended Key Usage", because we okay with just cert is valid

---

Example gossip configuration:

tls_client_config:
    cert_file: /etc/pki/tls/private/le/fullchain.pem
    key_file: /etc/pki/tls/private/le/privkey.pem
    server_name: am2.example.com
tls_server_config:
    cert_file: /etc/pki/tls/private/le/fullchain.pem
    client_auth_type: RequireAndVerifyClientCert
    key_file: /etc/pki/tls/private/le/privkey.pem
    min_version: TLS13

Alertmanager log:

Apr 03 16:14:26 am2.example.com alertmanager[1853810]: time=2026-04-03T16:14:26.440+07:00 level=DEBUG source=net.go:974 msg="[DEBUG] memberlist: Initiating push/pull sync with:  100.100.101.30:9094" component=cluster
Apr 03 16:14:26 am2.example.com alertmanager[1853810]: time=2026-04-03T16:14:26.443+07:00 level=DEBUG source=memberlist.go:288 msg="[DEBUG] memberlist: failed to join 100.100.101.30:9094: remote error: tls: bad certificate" component=cluster
Apr 03 16:14:26 am2.example.com alertmanager[1853810]: time=2026-04-03T16:14:26.443+07:00 level=DEBUG source=cluster.go:440 msg=failure component=cluster msg=reconnect peer="" addr=100.100.101.30:9094 err="1 error occurred:\n\t* failed to join 100.100.101.30:9094: remote error: tls: bad certificate\n\n"
Apr 03 16:14:27 am2.example.com alertmanager[1853810]: time=2026-04-03T16:14:27.336+07:00 level=DEBUG source=tls_transport.go:275 msg="error reading from connection" component=cluster err="error reading message length: tls: failed to verify certificate: x509: certificate specifies an incompatible key usage"

[TheMeier]

Well I do understand where this is comming from, but to me this proposal does not feel right. The acceptance of mixed-used certificates will become less overall in the future anyway.

[k0ste]

Well I do understand where this is comming from, but to me this proposal does not feel right. The acceptance of mixed-used certificates will become less overall in the future anyway.

For 20 years, these certificates were fine. Now, one large corporation has decided they're not. And a service (Let's Encrypt) that's supposed to be a "public good" can't create a 'legacy' profile (which would have to be specifically configured, not the default)

Now, an entire department of security engineers can spend years for changing certificates, explaining the need for their job. What impact does this have on real security in companies with fewer than 1,000 employees? Zero

The service administrator can decide whether certificates without this field are suitable or not. Otherwise, RequireAnyClientCert already does the same thing, only in a dirty way