Pivotal Knowledge Base

Follow

Ops Manager configuration error: "hostname <IP address> does not match the server certificate"

Environment

 Product  Version
 Pivotal Cloud Foundry  All

Symptom

When attempting to add a certificate to OpsManager, configuration fails with "hostname does not match" error when saving changes. This issue can occur in the OpenStack environment which requires specifying Authentication URL to keystone endpoint on OpenStack.

Error Message: 

Identity ---- https://<IP address>:5000/v2.0

Please review the errors below 
hostname "<IP address>" does not match the server certificate 
All errors will be reverified before installation.

Cause

This can be caused by the certificate being signed with CN=FQDN while the endpoint uses the IP address. 

This issue happens when Operations Manager gets an authtoken from the identity endpoint. The endpoint to check storage groups in Openstack is discovered from the authenticate endpoint and if the discovered endpoint uses IP address then this will mismatch the certificate which uses FQDN as the CN.

Resolution

This can be fixed either by changing the endpoint or re-signing the certificate so both are using the same format.

1. Confirm hostnames (CN= field) used in the certificate by running the command

openssl x509 -in pcf-s3.crt -noout -text

2. Display certificate when connecting to the endpoint

openssl s_client -showcerts -connect <endpoint address>

3. Verify settings for any endpoint configured in Opsman -> Director Tile -> Openstack Config. If the customer is using OpenStack then verify "Authentication URL" and whether it is using IP address or FQDN. If the customer is using the S3 blobstore then verify this endpoint as well.

4. Verify any endpoints configured on OpenStack (keystone, neutron, etc.) and whether they use IP address or FQDN.

5. If there is a mismatch found by using the steps above then the easiest solution will be to change the endpoints so that they match the hostname used in the certificate. For instance, if certificate uses FQDN then endpoints should also be configured as FQDN. If certificate uses IP address for CN field, then endpoint should also use IP address. 

Additional Information

Full error stacktrace:

Excon::Errors::SocketError hostname "10.62.184.23" does not match the server certificate (OpenSSL::SSL::SSLError) 
/usr/local/lib/ruby/2.3.0/openssl/ssl.rb:318:in `post_connection_check'
/home/tempest-web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-0.49.0/lib/excon/ssl_socket.rb:135:in `initialize'
/home/tempest-web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-0.49.0/lib/excon/connection.rb:404:in `new'
/home/tempest-web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-0.49.0/lib/excon/connection.rb:404:in `socket'
/home/tempest-web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-0.49.0/lib/excon/connection.rb:106:in `request_call'
/home/tempest-web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-0.49.0/lib/excon/middlewares/mock.rb:47:in `request_call'
/home/tempest-web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-0.49.0/lib/excon/middlewares/instrumentor.rb:25:in `request_call'
/home/tempest-web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-0.49.0/lib/excon/middlewares/base.rb:15:in `request_call'
/home/tempest-web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-0.49.0/lib/excon/middlewares/base.rb:15:in `request_call'
/home/tempest-web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-0.49.0/lib/excon/middlewares/base.rb:15:in `request_call'
/home/tempest-web/tempest/web/vendor/bundle/ruby/2.3.0/gems/excon-0.49.0/lib/excon/connection.rb:250:in `request'
/home/tempest-web/tempest/web/vendor/bundle/ruby/2.3.0/gems/fog-core-1.37.0/lib/fog/core/connection.rb:81:in `request'
/home/tempest-web/tempest/web/vendor/bundle/ruby/2.3.0/gems/fog-1.35.0/lib/fog/openstack/compute.rb:355:in `request'
/home/tempest-web/tempest/web/vendor/bundle/ruby/2.3.0/gems/fog-1.35.0/lib/fog/openstack/requests/compute/list_security_groups.rb:22:in `list_security_groups'
/home/tempest-web/tempest/web/vendor/bundle/ruby/2.3.0/gems/fog-1.35.0/lib/fog/openstack/models/compute/security_groups.rb:11:in `all'
/home/tempest-web/tempest/web/vendor/bundle/ruby/2.3.0/gems/fog-core-1.37.0/lib/fog/core/collection.rb:113:in `lazy_load'
/home/tempest-web/tempest/web/vendor/bundle/ruby/2.3.0/gems/fog-core-1.37.0/lib/fog/core/collection.rb:17:in `each'
/home/tempest-web/tempest/web/lib/karl/openstack.rb:70:in `find' /home/tempest-web/tempest/web/lib/karl/openstack.rb:70:in `check_security_group'
/home/tempest-web/tempest/web/lib/karl/openstack.rb:44:in `check_configuration!'
/home/tempest-web/tempest/web/app/models/tempest/verifiers/internal/iaas_configuration_verifier.rb:23:in `block in iaas_configuration_valid'
/home/tempest-web/tempest/web/lib/karl_error_translator.rb:3:in `with_karl_error_translation'
/home/tempest-web/tempest/web/app/models/tempest/verifiers/internal/iaas_configuration_verifier.rb:22:in `iaas_configuration_valid'

Comments

Powered by Zendesk