Cloudera: WrongHost: Peer certificate subjectAltName does not match host, expected HOST01, got HOST02
Getting the following while connecting TLS enabled Azure, AWS or GCP cloud hosts to Cloudera Manager?
[18/May/2020 13:12:09 +0000] 2413 Thread-13 downloader INFO Fetching torrent: https://cm-r01nn01.mws.mds.xyz:7183/cmf/parcel/download/CDH-6.3.0-1.cdh6.3.0.p0.1279813-el7.parcel.torrent
[18/May/2020 13:12:09 +0000] 2413 Thread-13 https ERROR Failed to retrieve/store URL: https://cm-r01nn01.mws.mds.xyz:7183/cmf/parcel/download/CDH-6.3.0-1.cdh6.3.0.p0.1279813-el7.parcel.torrent -> /opt/cloudera/parcel-cache/CDH-6.3.0-1.cdh6.3.0.p0.1279813-el7.parcel.torrent Peer certificate subjectAltName does not match host, expected cm-r01nn01.mws.mds.xyz, got DNS:cm-c01.mws.mds.xyz
Traceback (most recent call last):
File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/https.py", line 193, in fetch_to_file
resp = self.open(req_url)
File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/https.py", line 188, in open
return self.opener(url, *pargs, **kwargs)
File "/usr/lib64/python2.7/urllib2.py", line 431, in open
response = self._open(req, data)
File "/usr/lib64/python2.7/urllib2.py", line 449, in _open
'_open', req)
File "/usr/lib64/python2.7/urllib2.py", line 409, in _call_chain
result = func(*args)
File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/https.py", line 179, in https_open
return self.do_open(opener, req)
File "/usr/lib64/python2.7/urllib2.py", line 1211, in do_open
h.request(req.get_method(), req.get_selector(), req.data, headers)
File "/usr/lib64/python2.7/httplib.py", line 1041, in request
self._send_request(method, url, body, headers)
File "/usr/lib64/python2.7/httplib.py", line 1075, in _send_request
self.endheaders(body)
File "/usr/lib64/python2.7/httplib.py", line 1037, in endheaders
self._send_output(message_body)
File "/usr/lib64/python2.7/httplib.py", line 881, in _send_output
self.send(msg)
File "/usr/lib64/python2.7/httplib.py", line 843, in send
self.connect()
File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/M2Crypto/httpslib.py", line 69, in connect
sock.connect((self.host, self.port))
File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 313, in connect
if not check(self.get_peer_cert(), self.addr[0]):
File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/M2Crypto/SSL/Checker.py", line 125, in __call__
fieldName='subjectAltName')
WrongHost: Peer certificate subjectAltName does not match host, expected cm-r01nn01.mws.mds.xyz, got DNS:cm-c01.mws.mds.xyz
Regenerate the cm-c01.mws.mds.xyz certificate but this time include the individual CM server names in the subjectAltName as follows:
keytool -genkeypair -alias cm-c01.mws.mds.xyz -keyalg RSA -keysize 2048 -dname "cn=cm-c01.mws.mds.xyz,OU=MDS,O=MDS,L=Los Angeles,ST=California,C=US" -keypass <PASS> -keystore cm-c01.mws.mds.xyz.keystore.jks -storepass <PASS> -validity 3650 -ext EKU=serverAuth,clientAuth,codeSigning,emailProtection,timeStamping,OCSPSigning -ext san=dns:cm-c01.mws.mds.xyz,dns:cm-r01nn01.mws.mds.xyz,dns:cm-r01nn02.mws.mds.xyz
(cleanup) keytool -delete -keystore /opt/cloudera/security/pki/cm-r01nn01.mws.mds.xyz.keystore.jks -storepass <PASS> -alias cm-c01.mws.mds.xyz
(cleanup) keytool -list -keystore /opt/cloudera/security/pki/cm-r01nn01.mws.mds.xyz.keystore.jks -storepass cm-r01nn01.mws.mds.xyz
(not required) keytool -importkeystore -srckeystore cm-c01.mws.mds.xyz.keystore.jks -destkeystore /opt/cloudera/security/pki/cm-r01nn01.mws.mds.xyz.keystore.jks -deststoretype pkcs12
Remove key from keystore ( Yeah, we're using the truststore here. This is in error and was an early botched attempt that still needs cleaning up. ) . Now delete the old key from the keystore and add the new one:
keytool -delete -keystore /etc/pki/ca-trust/extracted/java/jssecacerts -storepass changeit -alias cm-c01.mws.mds.xyz
keytool -list -keystore /etc/pki/ca-trust/extracted/java/jssecacerts -storepass changeit|grep PrivateKeyEntry
keytool -importkeystore -srckeystore cm-c01.mws.mds.xyz.keystore.jks -destkeystore /etc/pki/ca-trust/extracted/java/jssecacerts -srcalias cm-c01.mws.mds.xyz -deststorepass changeit -srcstorepass <PASS> -destalias cm-c01.mws.mds.xyz
Thx,
TK
