Support Questions

Find answers, ask questions, and share your expertise

ERROR Failed fetching torrent: Peer certificate subjectAltName does not match host, expected <IP>. Why an IP?

avatar
Explorer

Hello,

How is Cloudera determining the 'host' part in this message?  Running CDH 6.3 and receiving the following:

 

ERROR Failed fetching torrent: Peer certificate subjectAltName does not match host, expected 10.3.0.134, got DNS:srv-c01.mws.mds.xyz, DNS:cm-r01nn01.mws.mds.xyz, DNS:cm-r01nn02.mws.mds.xyz

 

Yet the reverse and forward lookup work just fine.  Why is it receiving an IP for the host?  Not able to make heads or tails out of the code yet.

 

 

 

 vi /opt/cloudera/cm-agent/lib/python2.7/site-packages/M2Crypto/httpslib.py +69
 vi /opt/cloudera/cm-agent/lib/python2.7/site-packages/M2Crypto/SSL/Connection.py +313
 vi /opt/cloudera/cm-agent/lib/python2.7/site-packages/M2Crypto/SSL/Checker.py +125

 

 

 

 

 

[29/Dec/2020 02:24:42 +0000] 20442 Thread-13 downloader   ERROR    Failed fetching torrent: Peer certificate subjectAltName does not match host, expected 10.3.0.134, got DNS:srv-c01.mws.mds.xyz, DNS:cm-r01nn01.mws.mds.xyz, DNS:cm-r01nn02.mws.mds.xyz
Traceback (most recent call last):
  File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/downloader.py", line 264, in download
    cmf.https.ssl_url_opener.fetch_to_file(torrent_url, torrent_file)
  File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/https.py", line 193, in fetch_to_file
    resp = self.open(req_url)
  File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/https.py", line 188, in open
    return self.opener(url, *pargs, **kwargs)
  File "/usr/lib64/python2.7/urllib2.py", line 431, in open
    response = self._open(req, data)
  File "/usr/lib64/python2.7/urllib2.py", line 449, in _open
    '_open', req)
  File "/usr/lib64/python2.7/urllib2.py", line 409, in _call_chain
    result = func(*args)
  File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/https.py", line 179, in https_open
    return self.do_open(opener, req)
  File "/usr/lib64/python2.7/urllib2.py", line 1211, in do_open
    h.request(req.get_method(), req.get_selector(), req.data, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1041, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1075, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/httplib.py", line 1037, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 881, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 843, in send
    self.connect()
  File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/M2Crypto/httpslib.py", line 69, in connect
    sock.connect((self.host, self.port))
  File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 313, in connect
    if not check(self.get_peer_cert(), self.addr[0]):
  File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/M2Crypto/SSL/Checker.py", line 125, in __call__
    fieldName='subjectAltName')
WrongHost: Peer certificate subjectAltName does not match host, expected 10.3.0.134, got DNS:srv-c01.mws.mds.xyz, DNS:cm-r01nn01.mws.mds.xyz, DNS:cm-r01nn02.mws.mds.xyz
^C
 root  /  var  log  cloudera-scm-agent  dig -x 10.3.0.134

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> -x 10.3.0.134
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48590
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;134.0.3.10.in-addr.arpa.       IN      PTR

;; ANSWER SECTION:
134.0.3.10.in-addr.arpa. 86400  IN      PTR     cm-r01nn01.mws.mds.xyz.

;; AUTHORITY SECTION:
0.3.10.in-addr.arpa.    86400   IN      NS      idmipa03.mws.mds.xyz.
0.3.10.in-addr.arpa.    86400   IN      NS      idmipa04.mws.mds.xyz.

;; ADDITIONAL SECTION:
idmipa03.mws.mds.xyz.   1200    IN      A       192.168.0.154
idmipa04.mws.mds.xyz.   1200    IN      A       192.168.0.155

;; Query time: 1 msec
;; SERVER: 192.168.0.51#53(192.168.0.51)
;; WHEN: Tue Dec 29 02:24:57 EST 2020
;; MSG SIZE  rcvd: 166

 root  /  var  log  cloudera-scm-agent  dig cm-r01nn01

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> cm-r01nn01
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37372
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cm-r01nn01.                    IN      A

;; AUTHORITY SECTION:
.                       9788    IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2020122900 1800 900 604800 86400

;; Query time: 1 msec
;; SERVER: 192.168.0.51#53(192.168.0.51)
;; WHEN: Tue Dec 29 02:25:04 EST 2020
;; MSG SIZE  rcvd: 114

 root  /  var  log  cloudera-scm-agent  dig cm-r01nn01.mws.mds.xyz

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> cm-r01nn01.mws.mds.xyz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20538
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cm-r01nn01.mws.mds.xyz.                IN      A

;; ANSWER SECTION:
cm-r01nn01.mws.mds.xyz. 1200    IN      A       10.3.0.134

;; AUTHORITY SECTION:
mws.mds.xyz.            86400   IN      NS      idmipa03.mws.mds.xyz.
mws.mds.xyz.            86400   IN      NS      idmipa04.mws.mds.xyz.

;; ADDITIONAL SECTION:
idmipa03.mws.mds.xyz.   1200    IN      A       192.168.0.154
idmipa04.mws.mds.xyz.   1200    IN      A       192.168.0.155

;; Query time: 1 msec
;; SERVER: 192.168.0.51#53(192.168.0.51)
;; WHEN: Tue Dec 29 02:25:08 EST 2020
;; MSG SIZE  rcvd: 145

 root  /  var  log  cloudera-scm-agent  nslookup cm-r01nn01
Server:         192.168.0.51
Address:        192.168.0.51#53

Name:   cm-r01nn01.mws.mds.xyz
Address: 10.3.0.134

 root  /  var  log  cloudera-scm-agent  nslookup 10.3.0.134
Server:         192.168.0.51
Address:        192.168.0.51#53

134.0.3.10.in-addr.arpa name = cm-r01nn01.mws.mds.xyz.

 root  /  var  log  cloudera-scm-agent  cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6


10.3.0.134      cm-r01nn01.mws.mds.xyz cm-r01nn01
 root  /  var  log  cloudera-scm-agent  

 

 

 

 

2 REPLIES 2

avatar
Master Guru

@TCloud What is your certificate saying I am interested to see the SAN entries there so that I can co relate this. 

CM always expect the FQDN almost everywhere just an FYI. 


Cheers!
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.

avatar
Explorer

Cert details.

 

 

[root@azure-r01wn01 ~]# openssl s_client -connect $(grep "server_host" /etc/cloudera-scm-agent/config.ini | sed s/server_host=//):7182 </dev/null | openssl x509 -text -noout
depth=0 C = US, ST = California, L = Los Angeles, O = MDS, OU = MDS, CN = srv-c01.mws.mds.xyz
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = California, L = Los Angeles, O = MDS, OU = MDS, CN = srv-c01.mws.mds.xyz
verify return:1
140441195849616:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:s3_pkt.c:1493:SSL alert number 42
140441195849616:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1594172762 (0x5f05255a)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, ST=California, L=Los Angeles, O=MDS, OU=MDS, CN=srv-c01.mws.mds.xyz
        Validity
            Not Before: Jul 19 02:46:18 2019 GMT
            Not After : Jul 16 02:46:18 2029 GMT
        Subject: C=US, ST=California, L=Los Angeles, O=MDS, OU=MDS, CN=srv-c01.mws.mds.xyz
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c5:a9:00:83:12:9e:02:86:32:4e:2b:a7:c6:1a:
                    6b:9d:e3:56:00:53:22:01:d8:db:83:cd:14:79:6a:
                    85:27:20:f6:5d:86:0e:0b:af:df:46:dd:c3:23:72:
                    f0:bf:38:3e:cd:9f:92:e6:65:81:7b:26:32:50:fc:
                    81:0e:7b:dd:b4:61:6f:a7:56:ec:c8:fe:89:72:ec:
                    e5:e0:63:61:92:77:0b:36:41:98:93:14:6d:53:a0:
                    24:fb:fb:77:40:98:5b:2f:d2:3c:65:4f:8b:65:33:
                    e5:db:14:ce:01:d2:4f:9f:e4:c6:c8:35:50:09:a2:
                    f3:48:0a:ac:06:fd:66:42:30:10:a4:e7:fa:a8:2b:
                    0b:2b:ef:ce:83:82:4e:0d:86:34:ce:0c:8d:0c:a2:
                    f5:88:4d:38:9f:3b:dd:2e:6e:e3:8c:60:69:da:8d:
                    a4:d4:db:d5:cd:26:91:95:ca:a2:47:de:3c:f3:8f:
                    52:b8:e5:b0:09:26:af:77:fb:a3:5b:40:f6:e8:1b:
                    66:d7:b7:1b:da:2c:6c:34:99:76:de:c4:9b:80:69:
                    25:d5:12:2f:cb:9b:c5:d2:7e:15:a7:50:5f:54:5c:
                    9d:6b:8c:c0:9c:03:3f:96:f3:8a:2c:a6:05:ec:a4:
                    d3:83:84:61:13:da:57:6d:e8:8c:93:d9:40:38:24:
                    96:c9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection, Time Stamping, OCSP Signing
            X509v3 Subject Alternative Name: 
                DNS:srv-c01.mws.mds.xyz, DNS:cm-r01nn01.mws.mds.xyz, DNS:cm-r01nn02.mws.mds.xyz
            X509v3 Subject Key Identifier: 
                F6:EA:97:6F:82:20:84:75:E9:63:71:2F:16:D6:41:8B:64:05:07:0D
    Signature Algorithm: sha256WithRSAEncryption
         4f:35:6d:18:dc:5c:4a:65:db:8c:62:75:0b:f8:da:2b:14:72:
         22:f7:3a:ba:15:17:58:41:46:3b:6b:6e:40:db:6b:be:e5:07:
         82:d1:37:0a:d6:4e:96:14:f6:87:ca:ff:d3:5f:a9:94:de:81:
         e7:a1:28:94:0a:19:0b:f4:dc:ed:0a:a5:77:78:20:53:3f:3f:
         03:54:67:a0:c4:a1:de:49:7d:e8:fc:2d:76:bd:7b:a5:98:cd:
         45:7e:ba:21:79:e2:91:7d:f3:e9:d6:5d:b7:91:34:30:3a:e4:
         3a:38:e9:33:9b:26:2e:3e:6c:c9:3d:5d:48:81:cb:35:2f:ff:
         7a:ff:22:c2:f8:b5:a2:01:d0:54:7f:f2:08:33:89:78:80:af:
         72:2d:d7:df:61:f0:4a:7f:d2:19:0d:c6:0c:51:ee:4e:c1:ed:
         8d:8b:4f:82:17:47:6b:03:1a:f2:8b:00:cc:17:8a:75:ca:72:
         c0:a4:a7:12:87:32:16:89:15:2c:80:d1:07:fd:37:e8:bf:f5:
         87:6b:a2:dd:9d:a4:c4:2c:68:f8:d9:15:dd:3c:40:6d:8b:e0:
         6d:c4:87:6d:39:a9:6b:91:f6:0a:bc:7c:63:e7:f0:37:cb:7a:
         5f:35:6c:5c:f9:bb:cb:58:1a:b9:9c:49:ab:24:ac:2a:c9:2d:
         3f:b2:2f:68
[root@azure-r01wn01 ~]# 
[root@azure-r01wn01 ~]# 
[root@azure-r01wn01 ~]# 
[root@azure-r01wn01 ~]# 
[root@azure-r01wn01 ~]# openssl s_client -connect $(grep -v '^#' /etc/cloudera-scm-agent/config.ini | grep "server_host=" | sed s/server_host=//):7182 -CAfile $(grep -v '^#' /etc/cloudera-scm-agent/config.ini | grep "verify_cert_file=" |sed s/verify_cert_file=//) -verify_hostname $(grep -v '^#' /etc/cloudera-scm-agent/config.ini | grep "server_host=" | sed s/server_host=//)</dev/null
CONNECTED(00000003)
depth=0 C = US, ST = California, L = Los Angeles, O = MDS, OU = MDS, CN = srv-c01.mws.mds.xyz
verify return:1
140276232329104:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:s3_pkt.c:1493:SSL alert number 42
140276232329104:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
 0 s:/C=US/ST=California/L=Los Angeles/O=MDS/OU=MDS/CN=srv-c01.mws.mds.xyz
   i:/C=US/ST=California/L=Los Angeles/O=MDS/OU=MDS/CN=srv-c01.mws.mds.xyz
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEHDCCAwSgAwIBAgIEXwUlWjANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJV
UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLTG9zIEFuZ2VsZXMxDDAK
BgNVBAoTA01EUzEMMAoGA1UECxMDTURTMRwwGgYDVQQDExNzcnYtYzAxLm13cy5t
ZHMueHl6MB4XDTE5MDcxOTAyNDYxOFoXDTI5MDcxNjAyNDYxOFowcjELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC0xvcyBBbmdlbGVz
MQwwCgYDVQQKEwNNRFMxDDAKBgNVBAsTA01EUzEcMBoGA1UEAxMTc3J2LWMwMS5t
d3MubWRzLnh5ejCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMWpAIMS
ngKGMk4rp8Yaa53jVgBTIgHY24PNFHlqhScg9l2GDguv30bdwyNy8L84Ps2fkuZl
gXsmMlD8gQ573bRhb6dW7Mj+iXLs5eBjYZJ3CzZBmJMUbVOgJPv7d0CYWy/SPGVP
i2Uz5dsUzgHST5/kxsg1UAmi80gKrAb9ZkIwEKTn+qgrCyvvzoOCTg2GNM4MjQyi
9YhNOJ873S5u44xgadqNpNTb1c0mkZXKokfePPOPUrjlsAkmr3f7o1tA9ugbZte3
G9osbDSZdt7Em4BpJdUSL8ubxdJ+FadQX1RcnWuMwJwDP5bziiymBeyk04OEYRPa
V23ojJPZQDgklskCAwEAAaOBuTCBtjBFBgNVHSUEPjA8BggrBgEFBQcDAQYIKwYB
BQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJME4G
A1UdEQRHMEWCE3Nydi1jMDEubXdzLm1kcy54eXqCFmNtLXIwMW5uMDEubXdzLm1k
cy54eXqCFmNtLXIwMW5uMDIubXdzLm1kcy54eXowHQYDVR0OBBYEFPbql2+CIIR1
6WNxLxbWQYtkBQcNMA0GCSqGSIb3DQEBCwUAA4IBAQBPNW0Y3FxKZduMYnUL+Nor
FHIi9zq6FRdYQUY7a25A22u+5QeC0TcK1k6WFPaHyv/TX6mU3oHnoSiUChkL9Nzt
CqV3eCBTPz8DVGegxKHeSX3o/C12vXulmM1FfroheeKRffPp1l23kTQwOuQ6OOkz
myYuPmzJPV1Igcs1L/96/yLC+LWiAdBUf/IIM4l4gK9yLdffYfBKf9IZDcYMUe5O
we2Ni0+CF0drAxryiwDMF4p1ynLApKcShzIWiRUsgNEH/Tfov/WHa6LdnaTELGj4
2RXdPEBti+BtxIdtOalrkfYKvHxj5/A3y3pfNWxc+bvLWBq5nEmrJKwqyS0/si9o
-----END CERTIFICATE-----
.
.
.
.
.
.
.
---
SSL handshake has read 18243 bytes and written 138 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 5FEFEAC965EF94EEEA66EA13E233E18323258810C92903D96B3A57571739DEB4
    Session-ID-ctx: 
    Master-Key: 6F693441CEDC0AF262F25FC41236CBE03B59BF78CF3FBD13A574C5BCD3095680985C7F5D2BFBDFA67AC932359C519E37
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1609558729
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
[root@azure-r01wn01 ~]#

 

 

# grep -Ei srv /etc/cloudera-scm-agent/config.ini 
server_host=srv-c01.mws.mds.xyz