Bug 586563 - certificate commonName does not match host
Summary: certificate commonName does not match host
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Candlepin
Classification: Community
Component: candlepin
Version: 0.5
Hardware: All
OS: Solaris
low
medium
Target Milestone: ---
: ---
Assignee: Bryan Kearney
QA Contact: Katello QA List
URL:
Whiteboard:
Depends On:
Blocks: ent2
TreeView+ depends on / blocked
 
Reported: 2010-04-27 21:25 UTC by wes hayutin
Modified: 2018-12-10 15:37 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2018-12-10 15:37:07 UTC
Embargoed:


Attachments (Terms of Use)

Description wes hayutin 2010-04-27 21:25:46 UTC
Description of problem:

[root@sun-v20z-01 ~]# subscription-manager-cli list --available
Peer certificate commonName does not match host, expected statler.usersys.redhat.com, got XX


seeing this in my tomcat6 log.. not sure if its related..
Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - ====RequestBody====
Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - null
Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - ====Headers====
Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - host:  statler.usersys.redhat.com:8443
Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - accept-encoding:  identity
Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - content-length:  4
Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - content-type:  application/json
Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - accept:  application/json
Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.AuthInterceptor - Authentication check for /consumers/b563b82c-4596-4012-834b-710f5a5adb36/certificates/serials
Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - ====Response====
Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - Status: 401
Apr 27 17:23:43 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - Response Body:{"exceptionMessage":{"displayMessage":"Invalid username or password"}}
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - Request: 'GET https://statler.usersys.redhat.com:8443/candlepin/consumers/b563b82c-4596-4012-834b-710f5a5adb36/certificates/serials'
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - ====RequestBody====
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - null
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - ====Headers====
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - host:  statler.usersys.redhat.com:8443
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - accept-encoding:  identity
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - content-length:  4
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - content-type:  application/json
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - accept:  application/json
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.resteasy.interceptor.AuthInterceptor - Authentication check for /consumers/b563b82c-4596-4012-834b-710f5a5adb36/certificates/serials
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - ====Response====
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - Status: 401
Apr 27 17:23:44 [http-8443-1] DEBUG org.fedoraproject.candlepin.servlet.filter.logging.LoggingFilter - Response Body:{"exceptionMessage":{"displayMessage":"Invalid username or password"}}
^C
[candlepin@statler proxy]$

Comment 1 James Bowes 2010-04-30 17:15:14 UTC
This is from an old certificate still existing in the tomcat keystore. I've
updated the deploy script to add a FORCECERT option, so you can redo all
certificates. Note that after using FORCECERT, you'll have to delete
/etc/pki/consumer/* for your client machines (I think this might be a client
bug; will have to investigate).

example usage:
FORCECERT=1 HOSTNAME=localhost buildconf/scripts/deploy

now when you configure your clients to connect to localhost, they won't complain about ssl.

Comment 2 wes hayutin 2010-05-03 15:27:56 UTC
[candlepin@statler proxy]$ FORCECERT=1 HOSTNAME=statler.usersys.redhat.com buildconf/scripts/deploy
Stopping tomcat6:                                          [  OK  ]
(in /candlepin/candlepin/proxy, development)
Cleaning candlepin
Building candlepin
Compiling candlepin into /candlepin/candlepin/proxy/target/classes
Note: Some input files use unchecked or unsafe operations.
Note: Recompile with -Xlint:unchecked for details.
Compiling candlepin:test into /candlepin/candlepin/proxy/target/test/classes
Note: /candlepin/candlepin/proxy/src/test/java/org/fedoraproject/candlepin/service/impl/test/DefaultEntitlementCertServiceAdapterTest.java uses unchecked or unsafe operations.
Note: Recompile with -Xlint:unchecked for details.
Instrumenting classes with emma metadata file /candlepin/candlepin/proxy/reports/emma/coverage.em
redefining Project
Skipping tests for candlepin
Packaging candlepin
Packaging candlepin-api-0.0.6.jar
Packaging candlepin-0.0.6.war
Completed in 10.172s
+ CERTS_HOME=/etc/candlepin/certs
+ CA_KEY=/etc/candlepin/certs/candlepin-ca.key
+ CA_CERT=/etc/candlepin/certs/candlepin-ca.crt
+ rpm -q openssl
+ '[' 0 -ne 0 ']'
+ '[' '!' -d /etc/candlepin/certs ']'
+ HOSTNAME=statler.usersys.redhat.com
+ '[' -f /etc/candlepin/certs/candlepin-ca.key ']'
+ echo 'Creating CA private key'
Creating CA private key
+ sudo openssl genrsa -out /etc/candlepin/certs/candlepin-ca.key 1024
Generating RSA private key, 1024 bit long modulus
....................++++++
..............................++++++
e is 65537 (0x10001)
+ echo 'Creating CA certificate'
Creating CA certificate
+ sudo openssl req -new -x509 -days 365 -key /etc/candlepin/certs/candlepin-ca.key -out /etc/candlepin/certs/candlepin-ca.crt -subj /CN=statler.usersys.redhat.com/C=US/L=Raleigh/
keytool error: java.lang.Exception: Key pair not generated, alias <tomcat> already exists
alias already exists. deleting...
deleted tomcat.
Enter key password for <tomcat>
	(RETURN if same as keystore password):  Key password is too short - must be at least 6 characters
Enter key password for <tomcat>
	(RETURN if same as keystore password):  importing ca certificate
keytool error: java.lang.Exception: Certificate not imported, alias <candlepin_ca_crt> already exists
alias already exists. deleting...
deleted candlepin_ca_crt.
importing ca certificate
Owner: L=Raleigh, C=US, CN=statler.usersys.redhat.com
Issuer: L=Raleigh, C=US, CN=statler.usersys.redhat.com
Serial number: cdec4c748955bc74
Valid from: Mon May 03 11:25:02 EDT 2010 until: Tue May 03 11:25:02 EDT 2011
Certificate fingerprints:
	 MD5:  5C:51:97:A5:AA:00:1A:DF:8D:0F:89:57:65:FA:74:4C
	 SHA1: 48:D8:9C:82:A3:45:23:8D:DC:DD:D4:71:37:9B:8F:1C:C9:67:4D:DF
	 Signature algorithm name: SHA1withRSA


[root@iolo ~]# subscription-manager-cli register --user=wd --pass=asdf
84b649c7-1a15-40ad-94e7-0bd71c9c5b9a admin wd
[root@iolo ~]# subscription-manager-cli list --available
Peer certificate commonName does not match host, expected statler.usersys.redhat.com, got XX
[root@iolo ~]# rm -Rf /etc/pki/consumer/
cert.pem  key.pem   
[root@iolo ~]# rm -Rf /etc/pki/consumer/*
[root@iolo ~]# subscription-manager-cli register --user=wd --pass=asdf
f2a4d0ea-6e5e-4139-a3e9-4f41ee857b2b admin wd
[root@iolo ~]# subscription-manager-cli list --available
 	productName               	endDate                   	id         	quantity                  
------------------------------------------------------------------------------------------------------
	SPACEWALK-001             	Tue Jul 13 00:00:00 2010  	1          	20000                    
	monitoring                	Tue Jul 13 00:00:00 2010  	2          	20000                    
	provisioning              	Tue Jul 13 00:00:00 2010  	3          	20000                    
	virtualization_host       	Tue Jul 13 00:00:00 2010  	4          	20000                    
	virtualization_host_platform 	Tue Jul 13 00:00:00 2010  	5          	20000                    
[root@iolo ~]# 


verified.. wdh

Comment 3 John Sefler 2011-05-04 14:41:27 UTC
Group move of VERIFIED Candlepin component bugs to RELEASE_PENDING

Comment 5 Bryan Kearney 2018-12-10 15:37:07 UTC
I am closing out some old bugs from 2015. So, closing these out as current release. If this is still an issue for me, please reach out.


Note You need to log in before you can comment on or make changes to this bug.