Bug 586563 – certificate commonName does not match host

Bug 586563 - certificate commonName does not match host

Summary:	certificate commonName does not match host

Status:	RELEASE_PENDING

Aliases:	None

Product:	Candlepin
Classification:	Community
Component:	candlepin (Show other bugs)
Sub Component:
Version:	0.5
Hardware:	All Solaris

Priority	low Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Bryan Kearney
QA Contact:	Katello QA List
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	ent2
	Show dependency tree / graph

Reported:	2010-04-27 17:25 EDT by wes hayutin
Modified:	2015-05-14 11:23 EDT (History)
CC List:	1 user (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description wes hayutin 2010-04-27 17:25:46 EDT

Description of problem:

[root@sun-v20z-01 ~]# subscription-manager-cli list --available
Peer certificate commonName does not match host, expected statler.usersys.redhat.com, got XX


seeing this in my tomcat6 log.. not sure if its related..
Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - ====RequestBody====
Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - null
Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - ====Headers====
Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - host:  statler.usersys.redhat.com:8443
Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - accept-encoding:  identity
Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - content-length:  4
Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - content-type:  application/json
Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - accept:  application/json
Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.AuthInterceptor - Authentication check for /consumers/b563b82c-4596-4012-834b-710f5a5adb36/certificates/serials
Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - ====Response====
Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - Status: 401
Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - Response Body:{"exceptionMessage":{"displayMessage":"Invalid username or password"}}
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - Request: 'GET https://statler.usersys.redhat.com:8443/candlepin/consumers/b563b82c-4596-4012-834b-710f5a5adb36/certificates/serials'
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - ====RequestBody====
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - null
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - ====Headers====
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - host:  statler.usersys.redhat.com:8443
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - accept-encoding:  identity
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - content-length:  4
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - content-type:  application/json
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - accept:  application/json
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.AuthInterceptor - Authentication check for /consumers/b563b82c-4596-4012-834b-710f5a5adb36/certificates/serials
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - ====Response====
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - Status: 401
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - Response Body:{"exceptionMessage":{"displayMessage":"Invalid username or password"}}
^C
[candlepin@statler proxy]$

Comment 1 James Bowes 2010-04-30 13:15:14 EDT

This is from an old certificate still existing in the tomcat keystore. I've
updated the deploy script to add a FORCECERT option, so you can redo all
certificates. Note that after using FORCECERT, you'll have to delete
/etc/pki/consumer/* for your client machines (I think this might be a client
bug; will have to investigate).

example usage:
FORCECERT=1 HOSTNAME=localhost buildconf/scripts/deploy

now when you configure your clients to connect to localhost, they won't complain about ssl.

Comment 2 wes hayutin 2010-05-03 11:27:56 EDT

[candlepin@statler proxy]$ FORCECERT=1 HOSTNAME=statler.usersys.redhat.com buildconf/scripts/deploy
Stopping tomcat6:                                          [  OK  ]
(in /candlepin/candlepin/proxy, development)
Cleaning candlepin
Building candlepin
Compiling candlepin into /candlepin/candlepin/proxy/target/classes
Note: Some input files use unchecked or unsafe operations.
Note: Recompile with -Xlint:unchecked for details.
Compiling candlepin:test into /candlepin/candlepin/proxy/target/test/classes
Note: /candlepin/candlepin/proxy/src/test/java/org/fedoraproject/candlepin/service/impl/test/DefaultEntitlementCertServiceAdapterTest.java uses unchecked or unsafe operations.
Note: Recompile with -Xlint:unchecked for details.
Instrumenting classes with emma metadata file /candlepin/candlepin/proxy/reports/emma/coverage.em
redefining Project
Skipping tests for candlepin
Packaging candlepin
Packaging candlepin-api-0.0.6.jar
Packaging candlepin-0.0.6.war
Completed in 10.172s
+ CERTS_HOME=/etc/candlepin/certs
+ CA_KEY=/etc/candlepin/certs/candlepin-ca.key
+ CA_CERT=/etc/candlepin/certs/candlepin-ca.crt
+ rpm -q openssl
+ '[' 0 -ne 0 ']'
+ '[' '!' -d /etc/candlepin/certs ']'
+ HOSTNAME=statler.usersys.redhat.com
+ '[' -f /etc/candlepin/certs/candlepin-ca.key ']'
+ echo 'Creating CA private key'
Creating CA private key
+ sudo openssl genrsa -out /etc/candlepin/certs/candlepin-ca.key 1024
Generating RSA private key, 1024 bit long modulus
....................++++++
..............................++++++
e is 65537 (0x10001)
+ echo 'Creating CA certificate'
Creating CA certificate
+ sudo openssl req -new -x509 -days 365 -key /etc/candlepin/certs/candlepin-ca.key -out /etc/candlepin/certs/candlepin-ca.crt -subj /CN=statler.usersys.redhat.com/C=US/L=Raleigh/
keytool error: java.lang.Exception: Key pair not generated, alias <tomcat> already exists
alias already exists. deleting...
deleted tomcat.
Enter key password for <tomcat>
	(RETURN if same as keystore password):  Key password is too short - must be at least 6 characters
Enter key password for <tomcat>
	(RETURN if same as keystore password):  importing ca certificate
keytool error: java.lang.Exception: Certificate not imported, alias <candlepin_ca_crt> already exists
alias already exists. deleting...
deleted candlepin_ca_crt.
importing ca certificate
Owner: L=Raleigh, C=US, CN=statler.usersys.redhat.com
Issuer: L=Raleigh, C=US, CN=statler.usersys.redhat.com
Serial number: cdec4c748955bc74
Valid from: Mon May 03 11:25:02 EDT 2010 until: Tue May 03 11:25:02 EDT 2011
Certificate fingerprints:
	 MD5:  5C:51:97:A5:AA:00:1A:DF:8D:0F:89:57:65:FA:74:4C
	 SHA1: 48:D8:9C:82:A3:45:23:8D:DC:DD:D4:71:37:9B:8F:1C:C9:67:4D:DF
	 Signature algorithm name: SHA1withRSA


[root@iolo ~]# subscription-manager-cli register --user=wd --pass=asdf
84b649c7-1a15-40ad-94e7-0bd71c9c5b9a admin wd
[root@iolo ~]# subscription-manager-cli list --available
Peer certificate commonName does not match host, expected statler.usersys.redhat.com, got XX
[root@iolo ~]# rm -Rf /etc/pki/consumer/
cert.pem  key.pem   
[root@iolo ~]# rm -Rf /etc/pki/consumer/*
[root@iolo ~]# subscription-manager-cli register --user=wd --pass=asdf
f2a4d0ea-6e5e-4139-a3e9-4f41ee857b2b admin wd
[root@iolo ~]# subscription-manager-cli list --available
 	productName               	endDate                   	id         	quantity                  
------------------------------------------------------------------------------------------------------
	SPACEWALK-001             	Tue Jul 13 00:00:00 2010  	1          	20000                    
	monitoring                	Tue Jul 13 00:00:00 2010  	2          	20000                    
	provisioning              	Tue Jul 13 00:00:00 2010  	3          	20000                    
	virtualization_host       	Tue Jul 13 00:00:00 2010  	4          	20000                    
	virtualization_host_platform 	Tue Jul 13 00:00:00 2010  	5          	20000                    
[root@iolo ~]# 


verified.. wdh

Comment 3 John Sefler 2011-05-04 10:41:27 EDT

Group move of VERIFIED Candlepin component bugs to RELEASE_PENDING

Note You need to log in before you can comment on or make changes to this bug.