Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Issue with Ranger Admin SSL with Internal CA with SAN entries where CN is not FQDN of ranger host, SAN entry contains Ranger Admin host entry

Issue with Ranger Admin SSL with Internal CA with SAN entries where CN is not FQDN of ranger host, SAN entry contains Ranger Admin host entry

Contributor


Issue with Ranger Admin SSL with Internal CA with SAN entries where CN is not FQDN of ranger host, SAN entry contains Ranger Admin host entry.

Ranger Admin is stuck at.

2018-01-19 05:05:15,951 [alpha1.openstacklocal-startStop-1] DEBUG org.apache.ranger.biz.ServiceDBStore (ServiceDBStore.java:341) - <== ServiceDefDBStore.initStore()
2018-01-19 05:05:16,244 [alpha1.openstacklocal-startStop-1] DEBUG apache.ranger.security.web.authentication.RangerAuthenticationEntryPoint (RangerAuthenticationEntryPoint.java:66) - AjaxAwareAuthenticationEntryPoint(): constructor
2018-01-19 05:05:16,350 [alpha1.openstacklocal-startStop-1] INFO  apache.ranger.security.web.filter.RangerCSRFPreventionFilter (RangerCSRFPreventionFilter.java:81) - Adding cross-site request forgery (CSRF) protection

So, For Ranger Admin is it necessary to have CN as FQDN of Ranger admin host.
SAN entry's are check first than CN entry right?

4 REPLIES 4

Re: Issue with Ranger Admin SSL with Internal CA with SAN entries where CN is not FQDN of ranger host, SAN entry contains Ranger Admin host entry

Super Collaborator

I think this is what you want to know:

How Browsers Use the Subject Alternative Name Field in Your SSL Certificate

When browsers connect to your server using HTTPS, they check to make sure your SSL Certificate matches the host name in the address bar.

There are three ways for browsers to find a match:

  1. The host name (in the address bar) exactly matches the Common Name in the certificate's Subject.
  2. The host name matches a Wildcard Common Name. For example, www.example.com matches the common name *.example.com.
  3. The host name is listed in the Subject Alternative Name field.
Highlighted

Re: Issue with Ranger Admin SSL with Internal CA with SAN entries where CN is not FQDN of ranger host, SAN entry contains Ranger Admin host entry

Contributor

I have hostname mentioned in SAN field, still, the service is not coming up.

Re: Issue with Ranger Admin SSL with Internal CA with SAN entries where CN is not FQDN of ranger host, SAN entry contains Ranger Admin host entry

Super Collaborator

If i get it right, Ranger Admin can't connect to Ranger backend (database?) after you connected to Ranger UI? In this second case it is possible that the Ranger UI (or the Apache server running it) simply doesn't use the SAN information, as this is something that the client/initiator of the connection (normally the browser in https) validates.

Re: Issue with Ranger Admin SSL with Internal CA with SAN entries where CN is not FQDN of ranger host, SAN entry contains Ranger Admin host entry

Pravin - Did you resolve the issue? According to this JIRA, it's been fixed since Ranger 0.5.3. If not we should raise a new bug.

https://issues.apache.org/jira/browse/RANGER-746