Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

java.security.cert.CertificateException: No subject alternative names present

Labels:
Navya
New Contributor

Created ‎06-16-2018 01:11 AM

I am seeing the below error when I am enabling SSL for the first time in cloudera manager. Cloudera Management servcies fail to start with below error:

 

Failed to publish event: SimpleEvent{attributes={ROLE_TYPE=[EVENTSERVER], EXCEPTION_TYPES=[javax.net.ssl.SSLHandshakeException, java.security.cert.CertificateException], HOST_IDS=[xxx], STACKTRACE=[javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present

.

.

No descriptor fetched from https://<ip>:7183 on after 1 tries, sleeping for 2 secs

No descriptor fetched from https://<ip>:7183 on after 2 tries, sleeping for 2 secs

No descriptor fetched from https://<ip>:7183 on after 3 tries, sleeping for 2 secs

No descriptor fetched from https://<ip>:7183 on after 4 tries, sleeping for 2 secs

No descriptor fetched from https://<ip>:7183 on after 5 tries, sleeping for 2 secs

Could not fetch descriptor after 5 tries, exiting.

 

What could the problem be here ?

4,357 Views
0 Kudos
2 REPLIES 2

Harsh J
Master Guru

Created ‎06-16-2018 01:54 AM

The reason for that message is that the certs only publish the hostname
they can authenticate as, but when you connect by an IP then there's no
entry in the cert (such as a Subject Alternative Name field) that matches
the IP. The solution for this isn't to add the IP to the SAN field though,
the problem is instead this: You shouldn't even be seeing the IP being used
to connect to the CM in the MGMT services as your log currently indicates.

Run the Host Inspector (CM -> Hosts -> All Hosts -> Inspect All Hosts
button). Does it fully pass on its DNS forward and reverse lookup tests
across all hosts? Without that TLS or even Kerberos is not expected to
work. Network/OS requirements for clusters is covered here:
https://www.cloudera.com/documentation/enterprise/release-notes/topics/rn_consolidated_pcm.html#cdh_...
4,347 Views

Navya
New Contributor

Created ‎06-16-2018 02:10 AM

Thank you Harsha for the clarification.

 

The servers do not have an FQDN configured. We just have hostnames. Can we continue with SSL with just these? Or do we need to have FQDN mandatorily for SSL.

 

Note: We are trying to configure Self-signed SSL.

4,345 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Community Announcements
March 2023 Community Highlights
What's New @ Cloudera
Cloudera DataFlow Designer for self-service data flow development is now generally available to all CDP Public Cloud customers
What's New @ Cloudera
Cloudera Operational Database (COD) UI provides the JWT configuration details to connect to your HBase client
What's New @ Cloudera
Cloudera Operational Database (COD) UI allows storage type selection when creating an operational database
What's New @ Cloudera
Release of Cloudera Streaming Analytics (CSA) 1.9.0 for CDP 7.1.7 SP2 & CDP 7.1.8
View More Announcements