Modify ↓
Ticket #810 (closed defect: fixed)
1.0 client fails ssl CN check
| Reported by: | lueningh | Owned by: | desai |
|---|---|---|---|
| Priority: | major | Milestone: | Bcfg2 1.0.1 Release |
| Component: | bcfg2-client | Version: | 1.0 |
| Keywords: | Cc: |
Description
In my client bcfg2.conf file, I specify the server using its IP address. The client doesn't like that though:
vs1:~ # bcfg2 -v -n
No ca is specified. Cannot authenticate the server with SSL.
Unknown failure
Traceback (most recent call last):
File "/usr/lib64/python2.4/site-packages/Bcfg2/Proxy.py", line 54, in __call__
return _Method.__call__(self, *args)
File "/usr/lib64/python2.4/xmlrpclib.py", line 1096, in __call__
return self.__send(self.__name, args)
File "/usr/lib64/python2.4/xmlrpclib.py", line 1383, in __request
verbose=self.__verbose
File "/usr/lib64/python2.4/site-packages/Bcfg2/Proxy.py", line 250, in request
self.send_content(h, request_body)
File "/usr/lib64/python2.4/xmlrpclib.py", line 1243, in send_content
connection.endheaders()
File "/usr/lib64/python2.4/httplib.py", line 795, in endheaders
self._send_output()
File "/usr/lib64/python2.4/httplib.py", line 676, in _send_output
self.send(msg)
File "/usr/lib64/python2.4/httplib.py", line 643, in send
self.connect()
File "/usr/lib64/python2.4/site-packages/Bcfg2/Proxy.py", line 152, in connect
self._connect_m2crypto()
File "/usr/lib64/python2.4/site-packages/Bcfg2/Proxy.py", line 223, in _connect_m2crypto
self.sock.connect((self.host, self.port)) # automatically checks cert matches host
File "/usr/local/lib64/python2.4/site-packages/M2Crypto/SSL/Connection.py", line 157, in connect
if not check(self.get_peer_cert(), self.addr[0]):
File "/usr/local/lib64/python2.4/site-packages/M2Crypto/SSL/Checker.py", line 101, in __call__
fieldName='commonName')
WrongHost: Peer certificate commonName does not match host, expected 10.40.2.7, got mgt7.ether.alcf.anl.gov
Failed to download probes from bcfg2
Server Failure
vs1:~ #
Attachments
Change History
comment:2 Changed 13 years ago by desai
- Status changed from new to closed
- Resolution set to fixed
The traceback is resolved in [7d803fd552feeeac071848aef58b2314276ab21f] (SVN r5616). The server cert needs to be rejiggered to get the right altNames in there as well.
Note: See
TracTickets for help on using
tickets.
I think this can be addressed by changing your configuration.
Here is my interpretation of what is going on: The client is configured to use the xmlrpc/ssl protocol to communicate with a server specified using an URL that includes an IP address. From the looks of the error message, the client's bcfg2.conf file looks something like the following:
The server is configured to use a SSL certificate, and that certificate has a commonName but no subjectAltName. From the looks of the error message, the commonName probably has the value mgt7.ether.alcf.anl.gov.
The reason you're getting this server failure is that the client is comparing the "server name" you asked for in the config file (10.40.2.7) against the server name in the certificate it received during the SSL handshake (mgt7.ether.alcf.anl.gov), and they do not match. The client stops talking to the server at this point because it thinks the server isn't who it asked for.
There are two ways to address this. First, you might be able to replace the IP address in your client's bcfg2.conf file with the mgt7.ether.alcf.anl.gov value. This assumes that your DNS server associates the mgt7.ether.alcf.anl.gov name with 10.40.2.7.
Alternatively, you can change the server's certificate so that the client validation routines will accept it as a match against IP address 10.40.2.7. You can do this with a subjectAltName like IP:10.40.2.7.
In my environment, I create Bcfg2 server certificates that have a common name matching the primary DNS hostname (the A record) where the server can be reached. I then add serverAltNames for that record and all other CNAMEs by which the server could be reached. Then I specify the URL in the bcfg2.conf file using one of those DNS names.
Mike