Created 12-28-2020 11:46 PM
Hello,
How is Cloudera determining the 'host' part in this message? Running CDH 6.3 and receiving the following:
ERROR Failed fetching torrent: Peer certificate subjectAltName does not match host, expected 10.3.0.134, got DNS:srv-c01.mws.mds.xyz, DNS:cm-r01nn01.mws.mds.xyz, DNS:cm-r01nn02.mws.mds.xyz
Yet the reverse and forward lookup work just fine. Why is it receiving an IP for the host? Not able to make heads or tails out of the code yet.
vi /opt/cloudera/cm-agent/lib/python2.7/site-packages/M2Crypto/httpslib.py +69
vi /opt/cloudera/cm-agent/lib/python2.7/site-packages/M2Crypto/SSL/Connection.py +313
vi /opt/cloudera/cm-agent/lib/python2.7/site-packages/M2Crypto/SSL/Checker.py +125
[29/Dec/2020 02:24:42 +0000] 20442 Thread-13 downloader ERROR Failed fetching torrent: Peer certificate subjectAltName does not match host, expected 10.3.0.134, got DNS:srv-c01.mws.mds.xyz, DNS:cm-r01nn01.mws.mds.xyz, DNS:cm-r01nn02.mws.mds.xyz
Traceback (most recent call last):
File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/downloader.py", line 264, in download
cmf.https.ssl_url_opener.fetch_to_file(torrent_url, torrent_file)
File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/https.py", line 193, in fetch_to_file
resp = self.open(req_url)
File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/https.py", line 188, in open
return self.opener(url, *pargs, **kwargs)
File "/usr/lib64/python2.7/urllib2.py", line 431, in open
response = self._open(req, data)
File "/usr/lib64/python2.7/urllib2.py", line 449, in _open
'_open', req)
File "/usr/lib64/python2.7/urllib2.py", line 409, in _call_chain
result = func(*args)
File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/cmf/https.py", line 179, in https_open
return self.do_open(opener, req)
File "/usr/lib64/python2.7/urllib2.py", line 1211, in do_open
h.request(req.get_method(), req.get_selector(), req.data, headers)
File "/usr/lib64/python2.7/httplib.py", line 1041, in request
self._send_request(method, url, body, headers)
File "/usr/lib64/python2.7/httplib.py", line 1075, in _send_request
self.endheaders(body)
File "/usr/lib64/python2.7/httplib.py", line 1037, in endheaders
self._send_output(message_body)
File "/usr/lib64/python2.7/httplib.py", line 881, in _send_output
self.send(msg)
File "/usr/lib64/python2.7/httplib.py", line 843, in send
self.connect()
File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/M2Crypto/httpslib.py", line 69, in connect
sock.connect((self.host, self.port))
File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/M2Crypto/SSL/Connection.py", line 313, in connect
if not check(self.get_peer_cert(), self.addr[0]):
File "/opt/cloudera/cm-agent/lib/python2.7/site-packages/M2Crypto/SSL/Checker.py", line 125, in __call__
fieldName='subjectAltName')
WrongHost: Peer certificate subjectAltName does not match host, expected 10.3.0.134, got DNS:srv-c01.mws.mds.xyz, DNS:cm-r01nn01.mws.mds.xyz, DNS:cm-r01nn02.mws.mds.xyz
^C
root / var log cloudera-scm-agent dig -x 10.3.0.134
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> -x 10.3.0.134
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48590
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;134.0.3.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
134.0.3.10.in-addr.arpa. 86400 IN PTR cm-r01nn01.mws.mds.xyz.
;; AUTHORITY SECTION:
0.3.10.in-addr.arpa. 86400 IN NS idmipa03.mws.mds.xyz.
0.3.10.in-addr.arpa. 86400 IN NS idmipa04.mws.mds.xyz.
;; ADDITIONAL SECTION:
idmipa03.mws.mds.xyz. 1200 IN A 192.168.0.154
idmipa04.mws.mds.xyz. 1200 IN A 192.168.0.155
;; Query time: 1 msec
;; SERVER: 192.168.0.51#53(192.168.0.51)
;; WHEN: Tue Dec 29 02:24:57 EST 2020
;; MSG SIZE rcvd: 166
root / var log cloudera-scm-agent dig cm-r01nn01
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> cm-r01nn01
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 37372
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cm-r01nn01. IN A
;; AUTHORITY SECTION:
. 9788 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020122900 1800 900 604800 86400
;; Query time: 1 msec
;; SERVER: 192.168.0.51#53(192.168.0.51)
;; WHEN: Tue Dec 29 02:25:04 EST 2020
;; MSG SIZE rcvd: 114
root / var log cloudera-scm-agent dig cm-r01nn01.mws.mds.xyz
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> cm-r01nn01.mws.mds.xyz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20538
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cm-r01nn01.mws.mds.xyz. IN A
;; ANSWER SECTION:
cm-r01nn01.mws.mds.xyz. 1200 IN A 10.3.0.134
;; AUTHORITY SECTION:
mws.mds.xyz. 86400 IN NS idmipa03.mws.mds.xyz.
mws.mds.xyz. 86400 IN NS idmipa04.mws.mds.xyz.
;; ADDITIONAL SECTION:
idmipa03.mws.mds.xyz. 1200 IN A 192.168.0.154
idmipa04.mws.mds.xyz. 1200 IN A 192.168.0.155
;; Query time: 1 msec
;; SERVER: 192.168.0.51#53(192.168.0.51)
;; WHEN: Tue Dec 29 02:25:08 EST 2020
;; MSG SIZE rcvd: 145
root / var log cloudera-scm-agent nslookup cm-r01nn01
Server: 192.168.0.51
Address: 192.168.0.51#53
Name: cm-r01nn01.mws.mds.xyz
Address: 10.3.0.134
root / var log cloudera-scm-agent nslookup 10.3.0.134
Server: 192.168.0.51
Address: 192.168.0.51#53
134.0.3.10.in-addr.arpa name = cm-r01nn01.mws.mds.xyz.
root / var log cloudera-scm-agent cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
10.3.0.134 cm-r01nn01.mws.mds.xyz cm-r01nn01
root / var log cloudera-scm-agent
Created 12-30-2020 10:14 AM
@TCloud What is your certificate saying I am interested to see the SAN entries there so that I can co relate this.
CM always expect the FQDN almost everywhere just an FYI.
Created on 01-01-2021 07:46 PM - edited 01-01-2021 09:27 PM
Cert details.
[root@azure-r01wn01 ~]# openssl s_client -connect $(grep "server_host" /etc/cloudera-scm-agent/config.ini | sed s/server_host=//):7182 </dev/null | openssl x509 -text -noout
depth=0 C = US, ST = California, L = Los Angeles, O = MDS, OU = MDS, CN = srv-c01.mws.mds.xyz
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = California, L = Los Angeles, O = MDS, OU = MDS, CN = srv-c01.mws.mds.xyz
verify return:1
140441195849616:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:s3_pkt.c:1493:SSL alert number 42
140441195849616:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1594172762 (0x5f05255a)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=California, L=Los Angeles, O=MDS, OU=MDS, CN=srv-c01.mws.mds.xyz
Validity
Not Before: Jul 19 02:46:18 2019 GMT
Not After : Jul 16 02:46:18 2029 GMT
Subject: C=US, ST=California, L=Los Angeles, O=MDS, OU=MDS, CN=srv-c01.mws.mds.xyz
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c5:a9:00:83:12:9e:02:86:32:4e:2b:a7:c6:1a:
6b:9d:e3:56:00:53:22:01:d8:db:83:cd:14:79:6a:
85:27:20:f6:5d:86:0e:0b:af:df:46:dd:c3:23:72:
f0:bf:38:3e:cd:9f:92:e6:65:81:7b:26:32:50:fc:
81:0e:7b:dd:b4:61:6f:a7:56:ec:c8:fe:89:72:ec:
e5:e0:63:61:92:77:0b:36:41:98:93:14:6d:53:a0:
24:fb:fb:77:40:98:5b:2f:d2:3c:65:4f:8b:65:33:
e5:db:14:ce:01:d2:4f:9f:e4:c6:c8:35:50:09:a2:
f3:48:0a:ac:06:fd:66:42:30:10:a4:e7:fa:a8:2b:
0b:2b:ef:ce:83:82:4e:0d:86:34:ce:0c:8d:0c:a2:
f5:88:4d:38:9f:3b:dd:2e:6e:e3:8c:60:69:da:8d:
a4:d4:db:d5:cd:26:91:95:ca:a2:47:de:3c:f3:8f:
52:b8:e5:b0:09:26:af:77:fb:a3:5b:40:f6:e8:1b:
66:d7:b7:1b:da:2c:6c:34:99:76:de:c4:9b:80:69:
25:d5:12:2f:cb:9b:c5:d2:7e:15:a7:50:5f:54:5c:
9d:6b:8c:c0:9c:03:3f:96:f3:8a:2c:a6:05:ec:a4:
d3:83:84:61:13:da:57:6d:e8:8c:93:d9:40:38:24:
96:c9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection, Time Stamping, OCSP Signing
X509v3 Subject Alternative Name:
DNS:srv-c01.mws.mds.xyz, DNS:cm-r01nn01.mws.mds.xyz, DNS:cm-r01nn02.mws.mds.xyz
X509v3 Subject Key Identifier:
F6:EA:97:6F:82:20:84:75:E9:63:71:2F:16:D6:41:8B:64:05:07:0D
Signature Algorithm: sha256WithRSAEncryption
4f:35:6d:18:dc:5c:4a:65:db:8c:62:75:0b:f8:da:2b:14:72:
22:f7:3a:ba:15:17:58:41:46:3b:6b:6e:40:db:6b:be:e5:07:
82:d1:37:0a:d6:4e:96:14:f6:87:ca:ff:d3:5f:a9:94:de:81:
e7:a1:28:94:0a:19:0b:f4:dc:ed:0a:a5:77:78:20:53:3f:3f:
03:54:67:a0:c4:a1:de:49:7d:e8:fc:2d:76:bd:7b:a5:98:cd:
45:7e:ba:21:79:e2:91:7d:f3:e9:d6:5d:b7:91:34:30:3a:e4:
3a:38:e9:33:9b:26:2e:3e:6c:c9:3d:5d:48:81:cb:35:2f:ff:
7a:ff:22:c2:f8:b5:a2:01:d0:54:7f:f2:08:33:89:78:80:af:
72:2d:d7:df:61:f0:4a:7f:d2:19:0d:c6:0c:51:ee:4e:c1:ed:
8d:8b:4f:82:17:47:6b:03:1a:f2:8b:00:cc:17:8a:75:ca:72:
c0:a4:a7:12:87:32:16:89:15:2c:80:d1:07:fd:37:e8:bf:f5:
87:6b:a2:dd:9d:a4:c4:2c:68:f8:d9:15:dd:3c:40:6d:8b:e0:
6d:c4:87:6d:39:a9:6b:91:f6:0a:bc:7c:63:e7:f0:37:cb:7a:
5f:35:6c:5c:f9:bb:cb:58:1a:b9:9c:49:ab:24:ac:2a:c9:2d:
3f:b2:2f:68
[root@azure-r01wn01 ~]#
[root@azure-r01wn01 ~]#
[root@azure-r01wn01 ~]#
[root@azure-r01wn01 ~]#
[root@azure-r01wn01 ~]# openssl s_client -connect $(grep -v '^#' /etc/cloudera-scm-agent/config.ini | grep "server_host=" | sed s/server_host=//):7182 -CAfile $(grep -v '^#' /etc/cloudera-scm-agent/config.ini | grep "verify_cert_file=" |sed s/verify_cert_file=//) -verify_hostname $(grep -v '^#' /etc/cloudera-scm-agent/config.ini | grep "server_host=" | sed s/server_host=//)</dev/null
CONNECTED(00000003)
depth=0 C = US, ST = California, L = Los Angeles, O = MDS, OU = MDS, CN = srv-c01.mws.mds.xyz
verify return:1
140276232329104:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:s3_pkt.c:1493:SSL alert number 42
140276232329104:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
0 s:/C=US/ST=California/L=Los Angeles/O=MDS/OU=MDS/CN=srv-c01.mws.mds.xyz
i:/C=US/ST=California/L=Los Angeles/O=MDS/OU=MDS/CN=srv-c01.mws.mds.xyz
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEHDCCAwSgAwIBAgIEXwUlWjANBgkqhkiG9w0BAQsFADByMQswCQYDVQQGEwJV
UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLTG9zIEFuZ2VsZXMxDDAK
BgNVBAoTA01EUzEMMAoGA1UECxMDTURTMRwwGgYDVQQDExNzcnYtYzAxLm13cy5t
ZHMueHl6MB4XDTE5MDcxOTAyNDYxOFoXDTI5MDcxNjAyNDYxOFowcjELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFDASBgNVBAcTC0xvcyBBbmdlbGVz
MQwwCgYDVQQKEwNNRFMxDDAKBgNVBAsTA01EUzEcMBoGA1UEAxMTc3J2LWMwMS5t
d3MubWRzLnh5ejCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMWpAIMS
ngKGMk4rp8Yaa53jVgBTIgHY24PNFHlqhScg9l2GDguv30bdwyNy8L84Ps2fkuZl
gXsmMlD8gQ573bRhb6dW7Mj+iXLs5eBjYZJ3CzZBmJMUbVOgJPv7d0CYWy/SPGVP
i2Uz5dsUzgHST5/kxsg1UAmi80gKrAb9ZkIwEKTn+qgrCyvvzoOCTg2GNM4MjQyi
9YhNOJ873S5u44xgadqNpNTb1c0mkZXKokfePPOPUrjlsAkmr3f7o1tA9ugbZte3
G9osbDSZdt7Em4BpJdUSL8ubxdJ+FadQX1RcnWuMwJwDP5bziiymBeyk04OEYRPa
V23ojJPZQDgklskCAwEAAaOBuTCBtjBFBgNVHSUEPjA8BggrBgEFBQcDAQYIKwYB
BQUHAwIGCCsGAQUFBwMDBggrBgEFBQcDBAYIKwYBBQUHAwgGCCsGAQUFBwMJME4G
A1UdEQRHMEWCE3Nydi1jMDEubXdzLm1kcy54eXqCFmNtLXIwMW5uMDEubXdzLm1k
cy54eXqCFmNtLXIwMW5uMDIubXdzLm1kcy54eXowHQYDVR0OBBYEFPbql2+CIIR1
6WNxLxbWQYtkBQcNMA0GCSqGSIb3DQEBCwUAA4IBAQBPNW0Y3FxKZduMYnUL+Nor
FHIi9zq6FRdYQUY7a25A22u+5QeC0TcK1k6WFPaHyv/TX6mU3oHnoSiUChkL9Nzt
CqV3eCBTPz8DVGegxKHeSX3o/C12vXulmM1FfroheeKRffPp1l23kTQwOuQ6OOkz
myYuPmzJPV1Igcs1L/96/yLC+LWiAdBUf/IIM4l4gK9yLdffYfBKf9IZDcYMUe5O
we2Ni0+CF0drAxryiwDMF4p1ynLApKcShzIWiRUsgNEH/Tfov/WHa6LdnaTELGj4
2RXdPEBti+BtxIdtOalrkfYKvHxj5/A3y3pfNWxc+bvLWBq5nEmrJKwqyS0/si9o
-----END CERTIFICATE-----
.
.
.
.
.
.
.
---
SSL handshake has read 18243 bytes and written 138 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 5FEFEAC965EF94EEEA66EA13E233E18323258810C92903D96B3A57571739DEB4
Session-ID-ctx:
Master-Key: 6F693441CEDC0AF262F25FC41236CBE03B59BF78CF3FBD13A574C5BCD3095680985C7F5D2BFBDFA67AC932359C519E37
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1609558729
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
[root@azure-r01wn01 ~]#
# grep -Ei srv /etc/cloudera-scm-agent/config.ini
server_host=srv-c01.mws.mds.xyz