Modify

Ticket #810 (closed defect: fixed)

Opened 12 years ago

Last modified 12 years ago

1.0 client fails ssl CN check

Reported by: lueningh Owned by: desai
Priority: major Milestone: Bcfg2 1.0.1 Release
Component: bcfg2-client Version: 1.0
Keywords: Cc:

Description

In my client bcfg2.conf file, I specify the server using its IP address. The client doesn't like that though:

vs1:~ # bcfg2 -v -n
No ca is specified. Cannot authenticate the server with SSL.
Unknown failure
Traceback (most recent call last):
  File "/usr/lib64/python2.4/site-packages/Bcfg2/Proxy.py", line 54, in __call__
    return _Method.__call__(self, *args)
  File "/usr/lib64/python2.4/xmlrpclib.py", line 1096, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib64/python2.4/xmlrpclib.py", line 1383, in __request
    verbose=self.__verbose
  File "/usr/lib64/python2.4/site-packages/Bcfg2/Proxy.py", line 250, in request
    self.send_content(h, request_body)
  File "/usr/lib64/python2.4/xmlrpclib.py", line 1243, in send_content
    connection.endheaders()
  File "/usr/lib64/python2.4/httplib.py", line 795, in endheaders
    self._send_output()
  File "/usr/lib64/python2.4/httplib.py", line 676, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.4/httplib.py", line 643, in send
    self.connect()
  File "/usr/lib64/python2.4/site-packages/Bcfg2/Proxy.py", line 152, in connect
    self._connect_m2crypto()
  File "/usr/lib64/python2.4/site-packages/Bcfg2/Proxy.py", line 223, in _connect_m2crypto
    self.sock.connect((self.host, self.port)) # automatically checks cert matches host
  File "/usr/local/lib64/python2.4/site-packages/M2Crypto/SSL/Connection.py", line 157, in connect
    if not check(self.get_peer_cert(), self.addr[0]):
  File "/usr/local/lib64/python2.4/site-packages/M2Crypto/SSL/Checker.py", line 101, in __call__
    fieldName='commonName')
WrongHost: Peer certificate commonName does not match host, expected 10.40.2.7, got mgt7.ether.alcf.anl.gov
Failed to download probes from bcfg2
Server Failure
vs1:~ # 

Attachments

Change History

comment:1 Changed 12 years ago by mccallis

I think this can be addressed by changing your configuration.

Here is my interpretation of what is going on: The client is configured to use the xmlrpc/ssl protocol to communicate with a server specified using an URL that includes an IP address. From the looks of the error message, the client's bcfg2.conf file looks something like the following:

[communication]
protocol = xmlrpc/ssl
user = SOMEUUID
password = SOMEPASSWORD

[components]
bcfg2 = https://10.40.2.7:6789

The server is configured to use a SSL certificate, and that certificate has a commonName but no subjectAltName. From the looks of the error message, the commonName probably has the value mgt7.ether.alcf.anl.gov.

The reason you're getting this server failure is that the client is comparing the "server name" you asked for in the config file (10.40.2.7) against the server name in the certificate it received during the SSL handshake (mgt7.ether.alcf.anl.gov), and they do not match. The client stops talking to the server at this point because it thinks the server isn't who it asked for.

There are two ways to address this. First, you might be able to replace the IP address in your client's bcfg2.conf file with the mgt7.ether.alcf.anl.gov value. This assumes that your DNS server associates the mgt7.ether.alcf.anl.gov name with 10.40.2.7.

Alternatively, you can change the server's certificate so that the client validation routines will accept it as a match against IP address 10.40.2.7. You can do this with a subjectAltName like IP:10.40.2.7.

In my environment, I create Bcfg2 server certificates that have a common name matching the primary DNS hostname (the A record) where the server can be reached. I then add serverAltNames for that record and all other CNAMEs by which the server could be reached. Then I specify the URL in the bcfg2.conf file using one of those DNS names.

Mike

comment:2 Changed 12 years ago by desai

  • Status changed from new to closed
  • Resolution set to fixed

The traceback is resolved in [7d803fd552feeeac071848aef58b2314276ab21f] (SVN r5616). The server cert needs to be rejiggered to get the right altNames in there as well.

comment:3 Changed 12 years ago by solj

  • Milestone changed from Bcfg2 1.1.0 Release to Bcfg2 1.0.1 Release

WARNING! You need to establish a session before you can create or edit tickets. Otherwise the ticket will get treated as spam.

View

Add a comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
The resolution will be deleted. Next status will be 'reopened'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.