Header Shadow Image


Cloudera: WrongHost: Peer certificate subjectAltName does not match host, expected HOST01, got HOST02

Getting the following while connecting TLS enabled Azure, AWS or GCP cloud hosts to Cloudera Manager?

[18/May/2020 13:12:09 +0000] 2413 Thread-13 downloader   INFO     Fetching torrent: https://cm-r01nn01.mws.mds.xyz:7183/cmf/parcel/download/CDH-6.3.0-1.cdh6.3.0.p0.1279813-el7.parcel.torrent
[18/May/2020 13:12:09 +0000] 2413 Thread-13 https        ERROR    Failed to retrieve/store URL: https://cm-r01nn01.mws.mds.xyz:7183/cmf/parcel/download/CDH-6.3.0-1.cdh6.3.0.p0.1279813-el7.parcel.torrent -> /opt/cloudera/parcel-cache/CDH-6.3.0-1.cdh6.3.0.p0.1279813-el7.parcel.torrent Peer certificate subjectAltName does not match host, expected cm-r01nn01.mws.mds.xyz, got DNS:cm-c01.mws.mds.xyz
Traceback (most recent call last):
  File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/https.py", line 193, in fetch_to_file
    resp = self.open(req_url)
  File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/https.py", line 188, in open
    return self.opener(url, *pargs, **kwargs)
  File "/usr/lib64/python2.7/urllib2.py", line 431, in open
    response = self._open(req, data)
  File "/usr/lib64/python2.7/urllib2.py", line 449, in _open
    '_open', req)
  File "/usr/lib64/python2.7/urllib2.py", line 409, in _call_chain
    result = func(*args)
  File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/https.py", line 179, in https_open
    return self.do_open(opener, req)
  File "/usr/lib64/python2.7/urllib2.py", line 1211, in do_open
    h.request(req.get_method(), req.get_selector(), req.data, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1041, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1075, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/httplib.py", line 1037, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 881, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 843, in send
    self.connect()
  File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/M2Crypto/httpslib.py", line 69, in connect
    sock.connect((self.host, self.port))
  File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 313, in connect
    if not check(self.get_peer_cert(), self.addr[0]):
  File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/M2Crypto/SSL/Checker.py", line 125, in __call__
    fieldName='subjectAltName')
WrongHost: Peer certificate subjectAltName does not match host, expected cm-r01nn01.mws.mds.xyz, got DNS:cm-c01.mws.mds.xyz

Regenerate the cm-c01.mws.mds.xyz certificate but this time include the individual CM server names in the subjectAltName as follows:

keytool -genkeypair -alias cm-c01.mws.mds.xyz -keyalg RSA -keysize 2048 -dname "cn=cm-c01.mws.mds.xyz,OU=MDS,O=MDS,L=Los Angeles,ST=California,C=US" -keypass <PASS> -keystore cm-c01.mws.mds.xyz.keystore.jks -storepass <PASS> -validity 3650 -ext EKU=serverAuth,clientAuth,codeSigning,emailProtection,timeStamping,OCSPSigning -ext san=dns:cm-c01.mws.mds.xyz,dns:cm-r01nn01.mws.mds.xyz,dns:cm-r01nn02.mws.mds.xyz

(cleanup) keytool -delete -keystore /opt/cloudera/security/pki/cm-r01nn01.mws.mds.xyz.keystore.jks -storepass <PASS> -alias cm-c01.mws.mds.xyz

(cleanup) keytool -list -keystore /opt/cloudera/security/pki/cm-r01nn01.mws.mds.xyz.keystore.jks -storepass cm-r01nn01.mws.mds.xyz

(not required) keytool -importkeystore -srckeystore cm-c01.mws.mds.xyz.keystore.jks -destkeystore /opt/cloudera/security/pki/cm-r01nn01.mws.mds.xyz.keystore.jks -deststoretype pkcs12


Remove key from keystore ( Yeah, we're using the truststore here.  This is in error and was an early botched attempt that still needs cleaning up. ) .  Now delete the old key from the keystore and add the new one:

keytool -delete -keystore /etc/pki/ca-trust/extracted/java/jssecacerts -storepass changeit -alias cm-c01.mws.mds.xyz
keytool -list -keystore /etc/pki/ca-trust/extracted/java/jssecacerts -storepass changeit|grep PrivateKeyEntry

keytool -importkeystore -srckeystore cm-c01.mws.mds.xyz.keystore.jks -destkeystore /etc/pki/ca-trust/extracted/java/jssecacerts -srcalias cm-c01.mws.mds.xyz  -deststorepass changeit -srcstorepass <PASS> -destalias cm-c01.mws.mds.xyz

Thx,
TK


     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License