Bug 586563
| Summary: | certificate commonName does not match host | ||
|---|---|---|---|
| Product: | [Community] Candlepin | Reporter: | wes hayutin <whayutin> |
| Component: | candlepin | Assignee: | Bryan Kearney <bkearney> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Katello QA List <katello-qa-list> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 0.5 | CC: | bkearney |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Solaris | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-12-10 15:37:07 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 587713 | ||
This is from an old certificate still existing in the tomcat keystore. I've updated the deploy script to add a FORCECERT option, so you can redo all certificates. Note that after using FORCECERT, you'll have to delete /etc/pki/consumer/* for your client machines (I think this might be a client bug; will have to investigate). example usage: FORCECERT=1 HOSTNAME=localhost buildconf/scripts/deploy now when you configure your clients to connect to localhost, they won't complain about ssl. [candlepin@statler proxy]$ FORCECERT=1 HOSTNAME=statler.usersys.redhat.com buildconf/scripts/deploy Stopping tomcat6: [ OK ] (in /candlepin/candlepin/proxy, development) Cleaning candlepin Building candlepin Compiling candlepin into /candlepin/candlepin/proxy/target/classes Note: Some input files use unchecked or unsafe operations. Note: Recompile with -Xlint:unchecked for details. Compiling candlepin:test into /candlepin/candlepin/proxy/target/test/classes Note: /candlepin/candlepin/proxy/src/test/java/org/fedoraproject/candlepin/service/impl/test/DefaultEntitlementCertServiceAdapterTest.java uses unchecked or unsafe operations. Note: Recompile with -Xlint:unchecked for details. Instrumenting classes with emma metadata file /candlepin/candlepin/proxy/reports/emma/coverage.em redefining Project Skipping tests for candlepin Packaging candlepin Packaging candlepin-api-0.0.6.jar Packaging candlepin-0.0.6.war Completed in 10.172s + CERTS_HOME=/etc/candlepin/certs + CA_KEY=/etc/candlepin/certs/candlepin-ca.key + CA_CERT=/etc/candlepin/certs/candlepin-ca.crt + rpm -q openssl + '[' 0 -ne 0 ']' + '[' '!' -d /etc/candlepin/certs ']' + HOSTNAME=statler.usersys.redhat.com + '[' -f /etc/candlepin/certs/candlepin-ca.key ']' + echo 'Creating CA private key' Creating CA private key + sudo openssl genrsa -out /etc/candlepin/certs/candlepin-ca.key 1024 Generating RSA private key, 1024 bit long modulus ....................++++++ ..............................++++++ e is 65537 (0x10001) + echo 'Creating CA certificate' Creating CA certificate + sudo openssl req -new -x509 -days 365 -key /etc/candlepin/certs/candlepin-ca.key -out /etc/candlepin/certs/candlepin-ca.crt -subj /CN=statler.usersys.redhat.com/C=US/L=Raleigh/ keytool error: java.lang.Exception: Key pair not generated, alias <tomcat> already exists alias already exists. deleting... deleted tomcat. Enter key password for <tomcat> (RETURN if same as keystore password): Key password is too short - must be at least 6 characters Enter key password for <tomcat> (RETURN if same as keystore password): importing ca certificate keytool error: java.lang.Exception: Certificate not imported, alias <candlepin_ca_crt> already exists alias already exists. deleting... deleted candlepin_ca_crt. importing ca certificate Owner: L=Raleigh, C=US, CN=statler.usersys.redhat.com Issuer: L=Raleigh, C=US, CN=statler.usersys.redhat.com Serial number: cdec4c748955bc74 Valid from: Mon May 03 11:25:02 EDT 2010 until: Tue May 03 11:25:02 EDT 2011 Certificate fingerprints: MD5: 5C:51:97:A5:AA:00:1A:DF:8D:0F:89:57:65:FA:74:4C SHA1: 48:D8:9C:82:A3:45:23:8D:DC:DD:D4:71:37:9B:8F:1C:C9:67:4D:DF Signature algorithm name: SHA1withRSA [root@iolo ~]# subscription-manager-cli register --user=wd --pass=asdf 84b649c7-1a15-40ad-94e7-0bd71c9c5b9a admin wd [root@iolo ~]# subscription-manager-cli list --available Peer certificate commonName does not match host, expected statler.usersys.redhat.com, got XX [root@iolo ~]# rm -Rf /etc/pki/consumer/ cert.pem key.pem [root@iolo ~]# rm -Rf /etc/pki/consumer/* [root@iolo ~]# subscription-manager-cli register --user=wd --pass=asdf f2a4d0ea-6e5e-4139-a3e9-4f41ee857b2b admin wd [root@iolo ~]# subscription-manager-cli list --available productName endDate id quantity ------------------------------------------------------------------------------------------------------ SPACEWALK-001 Tue Jul 13 00:00:00 2010 1 20000 monitoring Tue Jul 13 00:00:00 2010 2 20000 provisioning Tue Jul 13 00:00:00 2010 3 20000 virtualization_host Tue Jul 13 00:00:00 2010 4 20000 virtualization_host_platform Tue Jul 13 00:00:00 2010 5 20000 [root@iolo ~]# verified.. wdh Group move of VERIFIED Candlepin component bugs to RELEASE_PENDING I am closing out some old bugs from 2015. So, closing these out as current release. If this is still an issue for me, please reach out. |
Description of problem: [root@sun-v20z-01 ~]# subscription-manager-cli list --available Peer certificate commonName does not match host, expected statler.usersys.redhat.com, got XX seeing this in my tomcat6 log.. not sure if its related.. Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - ====RequestBody==== Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - null Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - ====Headers==== Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - host: statler.usersys.redhat.com:8443 Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - accept-encoding: identity Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - content-length: 4 Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - content-type: application/json Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - accept: application/json Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.AuthInterceptor - Authentication check for /consumers/b563b82c-4596-4012-834b-710f5a5adb36/certificates/serials Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - ====Response==== Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - Status: 401 Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - Response Body:{"exceptionMessage":{"displayMessage":"Invalid username or password"}} Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - Request: 'GET https://statler.usersys.redhat.com:8443/candlepin/consumers/b563b82c-4596-4012-834b-710f5a5adb36/certificates/serials' Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - ====RequestBody==== Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - null Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - ====Headers==== Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - host: statler.usersys.redhat.com:8443 Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - accept-encoding: identity Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - content-length: 4 Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - content-type: application/json Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - accept: application/json Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.AuthInterceptor - Authentication check for /consumers/b563b82c-4596-4012-834b-710f5a5adb36/certificates/serials Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - ====Response==== Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - Status: 401 Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - Response Body:{"exceptionMessage":{"displayMessage":"Invalid username or password"}} ^C [candlepin@statler proxy]$