{"id":5403,"date":"2020-05-26T22:50:46","date_gmt":"2020-05-27T02:50:46","guid":{"rendered":"https:\/\/microdevsys.com\/wp\/?p=5403"},"modified":"2020-05-26T22:53:27","modified_gmt":"2020-05-27T02:53:27","slug":"cloudera-and-azure-wronghost-peer-certificate-subjectaltname-does-not-match-host-expected-got-dnshost01-dom-com-dnshost02-dom-com-dnshost03-dom-com","status":"publish","type":"post","link":"https:\/\/microdevsys.com\/wp\/cloudera-and-azure-wronghost-peer-certificate-subjectaltname-does-not-match-host-expected-got-dnshost01-dom-com-dnshost02-dom-com-dnshost03-dom-com\/","title":{"rendered":"Cloudera and Azure: WrongHost: Peer certificate subjectAltName does not match host, expected , got DNS:host01.dom.com, DNS:host02.dom.com, DNS:host03.dom.com"},"content":{"rendered":"

\n\tSo you're getting this while trying to connect Cloud Hosts to your local Cloudera Infrastructure?\n<\/p>\n

\r\nWrongHost: Peer certificate subjectAltName does not match host, expected dhcp-100-0-0-100.remote.user.isp.com, got DNS:srv-c01.cdh.local.hst, DNS:cm-r01nn01.cdh.local.hst, DNS:cm-r01nn02.cdh.local.hst<\/code><\/span><\/pre>\n
\n\t\n<\/p>\n
\n\tThe reason for this is that Cloudera reconfigured your Agent config.ini to use the hostname derived from the IP address that is used to login to the remote machine. This is done while adding a new node.  The script that does this is below:  \n<\/p>\n
\n\t[root@cm-awn01 scm_prepare_node.pFWkTK2i]# ls -altri
\n\ttotal 152
\n\t 67410958 -rwxr-xr-x   1 cdhroot cdhroot 49327 May 25 00:27 scm_prepare_node.sh<\/strong><\/span>
\n\t 67410959 -rw-r–r–   1 cdhroot cdhroot  3023 May 25 00:27 US_export_policy.jar.8
\n\t 67410960 -rw-r–r–   1 cdhroot cdhroot  3035 May 25 00:27 local_policy.jar.8
\n\t 67410961 -rw-r–r–   1 cdhroot cdhroot 13155 May 25 00:27 customGPG
\n\t 67410962 -rw-r–r–   1 cdhroot cdhroot    63 May 25 00:27 packages.scm
\n\t 67410963 -rw-r–r–   1 cdhroot cdhroot    63 May 25 00:27 always_install.scm
\n\t 67410964 -rw-r–r–   1 cdhroot cdhroot    15 May 25 00:27 x86_64_packages.scm
\n\t101634639 drwxrwxr-x   3 cdhroot cdhroot    19 May 25 00:27 repos
\n\t 34689507 drwx——   2 cdhroot cdhroot    83 May 25 00:27 gnupg.vNKKLRISC9
\n\t 67410966 -rw-rw-r–   1 cdhroot cdhroot  1670 May 25 00:27 F36A89E33CC1BD0F71079007327574EE02A818DD.pub
\n\t 67410967 -rw-rw-r–   1 cdhroot cdhroot  1691 May 25 00:27 5F14D39EF0681ACA6F044A43F90C0D8FE8F86ACD.pub
\n\t 67410968 -rw-rw-r–   1 cdhroot cdhroot  1735 May 25 00:27 9543951160C284C0E7CA254573985D43B0B19C9F.pub
\n\t 67410969 -rw-rw-r–   1 cdhroot cdhroot  3104 May 25 00:27 CECDB80C4E9004B0CFE852962279662784415700.pub
\n\t 67410970 -rw-rw-r–   1 cdhroot cdhroot  5416 May 25 00:27 DF2C4DD7629B1AC08A0966E00F65552736F57F35.pub
\n\t 67410965 -rw-rw-r–   1 cdhroot cdhroot 20819 May 25 00:27 scm_prepare_node.log
\n\t 67410957 drwx——   4 cdhroot cdhroot  4096 May 26 21:53 .
\n\t 33554504 drwxrwxrwt. 16 root    root     8192 May 26 22:01 ..
\n\t[root@cm-awn01 scm_prepare_node.pFWkTK2i]#<\/span>\n<\/p>\n
\n\tBelow is a sample of it's log file:\n<\/p>\n
\n\t[root@cm-awn01 scm_prepare_node.pFWkTK2i]# cat scm_prepare_node.log<\/strong>
\n\tusing SSH_CLIENT to get the SCM hostname: 100.0.0.100 42572 22
\n\topening logging file descriptor
\n\t###CLOUDERA_SCM### SCRIPT_START
\n\t###CLOUDERA_SCM### TAKE_LOCK
\n\tBEGIN flock 4
\n\tEND (0)
\n\t###CLOUDERA_SCM### DETECT_ROOT
\n\teffective UID is 1000
\n\tBEGIN which pbrun
\n\tEND (1)
\n\tBEGIN sudo -S id
\n\twhich: no pbrun in (\/usr\/local\/bin:\/usr\/bin)
\n\tuid=0(root) gid=0(root) groups=0(root)
\n\tEND (0)
\n\tUsing 'sudo ' to acquire root privileges
\n\t###CLOUDERA_SCM### DETECT_DISTRO
\n\tBEGIN grep Tikanga \/etc\/redhat-release
\n\tEND (1)
\n\tBEGIN grep 'Scientific Linux release 5' \/etc\/redhat-release
\n\tEND (1)
\n\tBEGIN grep Santiago \/etc\/redhat-release
\n\tEND (1)
\n\tBEGIN grep 'CentOS Linux release 6' \/etc\/redhat-release
\n\tEND (1)
\n\tBEGIN grep 'CentOS release 6' \/etc\/redhat-release
\n\tEND (1)
\n\tBEGIN grep 'Scientific Linux release 6' \/etc\/redhat-release
\n\tEND (1)
\n\tBEGIN grep Maipo \/etc\/redhat-release
\n\tEND (1)
\n\tBEGIN grep 'CentOS Linux release 7' \/etc\/redhat-release
\n\tEND (0)
\n\t\/etc\/redhat-release ==> CentOS 7
\n\t###CLOUDERA_SCM### DETECT_SCM
\n\tCentOS Linux release 7.5.1804 (Core)
\n\tBEGIN host -t PTR 100.0.0.100<\/strong><\/span>
\n\t100.0.0.100.in-addr.arpa domain name pointer dhcp-100-0-0-100.cable.user.start.ca.
\n\tEND (0)
\n\tusing dhcp-100-0-0-100.cable.user.start.ca as scm server hostname
\n\tBEGIN which python
\n\tEND (0)
\n\t.
\n\t.
\n\t.<\/span>\n<\/p>\n
\n\tNotice how the reverse lookup of the ISP IP is being shown.  We want to ensure the hostname returned is what we have in our SSL \/ TLS Certificates.\n<\/p>\n
\n\tTo circumvent this, dnsmasqerade<\/strong> can be installed to intercept the reverse lookup requests and present the correct hostname the TLS certificate expects.  Here is the full config:\n<\/p>\n
\n\t[root@cm-awn01 scm_prepare_node.pFWkTK2i]#
\n\t[root@cm-awn01 scm_prepare_node.pFWkTK2i]#
\n\t[root@cm-awn01 scm_prepare_node.pFWkTK2i]# host -t PTR 100.0.0.100
\n\t100.0.0.100.in-addr.arpa domain name pointer srv-c01.mws.mds.xyz.
\n\t[root@cm-awn01 scm_prepare_node.pFWkTK2i]# cat \/etc\/hosts
\n\t127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
\n\t::1         localhost localhost.localdomain localhost6 localhost6.localdomain6<\/span>\n<\/p>\n
\n\t31.25.100.45            cm-awn01.nix.mds.xyz cm-awn01
\n\t10.0.0.6                cm-awn01.nix.mds.xyz cm-awn01
\n\t100.0.0.100         srv-c01.mws.mds.xyz<\/span>\n<\/p>\n
\n\t100.0.0.100         srv-c01.mws.mds.xyz srv-c01
\n\t100.0.0.100         cm-r01nn01.mws.mds.xyz cm-r01nn01
\n\t100.0.0.100         cm-r01nn02.mws.mds.xyz cm-r01nn02
\n\t100.0.0.100         cm-r01en01.mws.mds.xyz cm-r01en01
\n\t100.0.0.100         cm-r01en02.mws.mds.xyz cm-r01en02
\n\t[root@cm-awn01 scm_prepare_node.pFWkTK2i]# cat \/etc\/resolv.conf
\n\t# Generated by NetworkManager
\n\tsearch 4iktk4qpujwufjkjx511w5ourh.bx.internal.cloudapp.net nix.mds.xyz
\n\tnameserver 127.0.0.1
\n\t[root@cm-awn01 scm_prepare_node.pFWkTK2i]#
\n\t[root@cm-awn01 scm_prepare_node.pFWkTK2i]#
\n\t[root@cm-awn01 scm_prepare_node.pFWkTK2i]#
\n\t[root@cm-awn01 scm_prepare_node.pFWkTK2i]# cat \/etc\/dnsmasq.conf
\n\tconf-dir=\/etc\/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig<\/span>\n<\/p>\n
\n\tlisten-address=::1,127.0.0.1,10.0.0.6<\/span>\n<\/p>\n
\n\tinterface=eth0
\n\t# expand-hosts
\n\t# domain=nix.mds.xyz<\/span>\n<\/p>\n
\n\t# Google's nameservers
\n\tserver=123.123.123.123
\n\tserver=8.8.8.8
\n\tserver=8.8.4.4<\/span>\n<\/p>\n
\n\taddress=\/nix.mds.xyz\/127.0.0.1
\n\taddress=\/nix.mds.xyz\/10.0.0.6
\n\t[root@cm-awn01 scm_prepare_node.pFWkTK2i]#
\n\t[root@cm-awn01 scm_prepare_node.pFWkTK2i]#
\n\t[root@cm-awn01 scm_prepare_node.pFWkTK2i]# systemctl status dnsmasq
\n\t? dnsmasq.service – DNS caching server.
\n\t   Loaded: loaded (\/usr\/lib\/systemd\/system\/dnsmasq.service; enabled; vendor preset: disabled)
\n\t   Active: active (running) since Tue 2020-05-26 22:23:45 EDT; 1min 55s ago
\n\t Main PID: 4841 (dnsmasq)
\n\t   CGroup: \/system.slice\/dnsmasq.service
\n\t           ??4841 \/usr\/sbin\/dnsmasq -k<\/span>\n<\/p>\n
\n\tMay 26 22:23:45 cm-awn01.nix.mds.xyz dnsmasq[4841]: compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP no-c…inotify
\n\tMay 26 22:23:45 cm-awn01.nix.mds.xyz dnsmasq[4841]: using nameserver 8.8.4.4#53
\n\tMay 26 22:23:45 cm-awn01.nix.mds.xyz dnsmasq[4841]: using nameserver 8.8.8.8#53
\n\tMay 26 22:23:45 cm-awn01.nix.mds.xyz dnsmasq[4841]: using nameserver 123.123.123.123#53
\n\tMay 26 22:23:45 cm-awn01.nix.mds.xyz dnsmasq[4841]: reading \/etc\/resolv.conf
\n\tMay 26 22:23:45 cm-awn01.nix.mds.xyz dnsmasq[4841]: using nameserver 8.8.4.4#53
\n\tMay 26 22:23:45 cm-awn01.nix.mds.xyz dnsmasq[4841]: using nameserver 8.8.8.8#53
\n\tMay 26 22:23:45 cm-awn01.nix.mds.xyz dnsmasq[4841]: using nameserver 123.123.123.123#53
\n\tMay 26 22:23:45 cm-awn01.nix.mds.xyz dnsmasq[4841]: ignoring nameserver 127.0.0.1 – local interface
\n\tMay 26 22:23:45 cm-awn01.nix.mds.xyz dnsmasq[4841]: read \/etc\/hosts – 10 addresses
\n\tHint: Some lines were ellipsized, use -l to show in full.
\n\t[root@cm-awn01 scm_prepare_node.pFWkTK2i]#<\/span>
\n\t \n<\/p>\n
\n\tThx,
\n\tTK<\/p>\n\n    
\n\n\t\t\n        
    \n\t\t\t        <\/ul>\n    <\/div> \n","protected":false},"excerpt":{"rendered":"
    So you're getting this while trying to connect Cloud Hosts to your local Cloudera Infrastructure? WrongHost: Peer certificate subjectAltName does not match host, expected dhcp-100-0-0-100.remote.user.isp.com, got DNS:srv-c01.cdh.local.hst, DNS:cm-r01nn01.cdh.local.hst, DNS:cm-r01nn02.cdh.local.hst<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5403","post","type-post","status-publish","format-standard","hentry","category-unix-linux-admin-stuff"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/posts\/5403","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/comments?post=5403"}],"version-history":[{"count":2,"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/posts\/5403\/revisions"}],"predecessor-version":[{"id":5405,"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/posts\/5403\/revisions\/5405"}],"wp:attachment":[{"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/media?parent=5403"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/categories?post=5403"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/tags?post=5403"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}