Ticket #810 (closed defect: fixed)

Opened 14 years ago

Last modified 14 years ago

1.0 client fails ssl CN check

Reported by: lueningh Owned by: desai
Priority: major Milestone: Bcfg2 1.0.1 Release
Component: bcfg2-client Version: 1.0
Keywords: Cc:


In my client bcfg2.conf file, I specify the server using its IP address. The client doesn't like that though:

vs1:~ # bcfg2 -v -n
No ca is specified. Cannot authenticate the server with SSL.
Unknown failure
Traceback (most recent call last):
  File "/usr/lib64/python2.4/site-packages/Bcfg2/", line 54, in __call__
    return _Method.__call__(self, *args)
  File "/usr/lib64/python2.4/", line 1096, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib64/python2.4/", line 1383, in __request
  File "/usr/lib64/python2.4/site-packages/Bcfg2/", line 250, in request
    self.send_content(h, request_body)
  File "/usr/lib64/python2.4/", line 1243, in send_content
  File "/usr/lib64/python2.4/", line 795, in endheaders
  File "/usr/lib64/python2.4/", line 676, in _send_output
  File "/usr/lib64/python2.4/", line 643, in send
  File "/usr/lib64/python2.4/site-packages/Bcfg2/", line 152, in connect
  File "/usr/lib64/python2.4/site-packages/Bcfg2/", line 223, in _connect_m2crypto
    self.sock.connect((, self.port)) # automatically checks cert matches host
  File "/usr/local/lib64/python2.4/site-packages/M2Crypto/SSL/", line 157, in connect
    if not check(self.get_peer_cert(), self.addr[0]):
  File "/usr/local/lib64/python2.4/site-packages/M2Crypto/SSL/", line 101, in __call__
WrongHost: Peer certificate commonName does not match host, expected, got
Failed to download probes from bcfg2
Server Failure
vs1:~ # 


Change History

comment:1 Changed 14 years ago by mccallis

I think this can be addressed by changing your configuration.

Here is my interpretation of what is going on: The client is configured to use the xmlrpc/ssl protocol to communicate with a server specified using an URL that includes an IP address. From the looks of the error message, the client's bcfg2.conf file looks something like the following:

protocol = xmlrpc/ssl

bcfg2 =

The server is configured to use a SSL certificate, and that certificate has a commonName but no subjectAltName. From the looks of the error message, the commonName probably has the value

The reason you're getting this server failure is that the client is comparing the "server name" you asked for in the config file ( against the server name in the certificate it received during the SSL handshake (, and they do not match. The client stops talking to the server at this point because it thinks the server isn't who it asked for.

There are two ways to address this. First, you might be able to replace the IP address in your client's bcfg2.conf file with the value. This assumes that your DNS server associates the name with

Alternatively, you can change the server's certificate so that the client validation routines will accept it as a match against IP address You can do this with a subjectAltName like IP:

In my environment, I create Bcfg2 server certificates that have a common name matching the primary DNS hostname (the A record) where the server can be reached. I then add serverAltNames for that record and all other CNAMEs by which the server could be reached. Then I specify the URL in the bcfg2.conf file using one of those DNS names.


comment:2 Changed 14 years ago by desai

  • Status changed from new to closed
  • Resolution set to fixed

The traceback is resolved in [7d803fd552feeeac071848aef58b2314276ab21f] (SVN r5616). The server cert needs to be rejiggered to get the right altNames in there as well.

comment:3 Changed 14 years ago by solj

  • Milestone changed from Bcfg2 1.1.0 Release to Bcfg2 1.0.1 Release

WARNING! You need to establish a session before you can create or edit tickets. Otherwise the ticket will get treated as spam.


Add a comment

Modify Ticket

Change Properties
<Author field>
as closed
The resolution will be deleted. Next status will be 'reopened'

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.