Labbs · moutonjeremy · Dec 17, 2025 · Dec 17, 2025 · Dec 17, 2025 · Dec 17, 2025
diff --git a/README.md b/README.md
@@ -122,6 +122,7 @@ spec:
 | `tlsCAKey` | Key name for CA certificate in the secret | no | `ca.crt` |
 | `tlsCertKey` | Key name for client certificate in the secret | no | `tls.crt` |
 | `tlsKeyKey` | Key name for client private key in the secret | no | `tls.key` |
+| `tlsServerName` | Server name for TLS verification (when connecting via IP) | no | - |
 | `tlsInsecureSkipVerify` | Skip TLS verification (not recommended) | no | `false` |
 
 ## 🔐 TLS Configuration

diff --git a/deploy/examples/issuer.yaml b/deploy/examples/issuer.yaml
@@ -59,10 +59,8 @@ spec:
               # tlsCAKey: "ca.crt"        # Key name for CA certificate
               # tlsCertKey: "tls.crt"     # Key name for client certificate
               # tlsKeyKey: "tls.key"      # Key name for client private key
-              # Example with custom key names:
-              # tlsCAKey: "etcd-ca.crt"
-              # tlsCertKey: "etcd-server.crt"
-              # tlsKeyKey: "etcd-server.key"
+              # Optional: Server name for TLS verification (useful when connecting via IP)
+              # tlsServerName: "etcd.local"
 ---
 # Example TLS Secret for etcd connection
 # The secret should contain (key names are configurable via tlsCAKey, tlsCertKey, tlsKeyKey):

diff --git a/pkg/solver/solver.go b/pkg/solver/solver.go
@@ -46,6 +46,8 @@ type EtcdConfig struct {
 	TLSCertKey string `json:"tlsCertKey,omitempty"`
 	// TLSKeyKey is the key name for client private key in the secret (default: tls.key)
 	TLSKeyKey string `json:"tlsKeyKey,omitempty"`
+	// TLSServerName is the server name for TLS certificate verification (useful when connecting via IP)
+	TLSServerName string `json:"tlsServerName,omitempty"`
 	// TLSInsecureSkipVerify skips TLS certificate verification (not recommended for production)
 	TLSInsecureSkipVerify bool `json:"tlsInsecureSkipVerify,omitempty"`
 	// TLSCA is the CA certificate in PEM format (alternative to using a secret)
@@ -258,6 +260,12 @@ func (e *EtcdDNSSolver) loadTLSConfigFromInline(cfg *EtcdConfig) (*tls.Config, e
 		InsecureSkipVerify: cfg.TLSInsecureSkipVerify,
 	}
 
+	// Set ServerName for TLS verification if specified
+	if cfg.TLSServerName != "" {
+		tlsConfig.ServerName = cfg.TLSServerName
+		klog.V(2).Infof("Using TLS ServerName: %s", cfg.TLSServerName)
+	}
+
 	// Load CA certificate if provided
 	if cfg.TLSCA != "" {
 		caCertPool := x509.NewCertPool()
@@ -306,6 +314,12 @@ func (e *EtcdDNSSolver) loadTLSConfigFromSecret(cfg *EtcdConfig, ch *v1alpha1.Ch
 		InsecureSkipVerify: cfg.TLSInsecureSkipVerify,
 	}
 
+	// Set ServerName for TLS verification if specified
+	if cfg.TLSServerName != "" {
+		tlsConfig.ServerName = cfg.TLSServerName
+		klog.V(2).Infof("Using TLS ServerName: %s", cfg.TLSServerName)
+	}
+
 	// Determine key names (use defaults if not specified)
 	caKey := cfg.TLSCAKey
 	if caKey == "" {