Hostname does not match

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Hostname does not match

Joe Gresock
I've been banging my head against the wall on this one.. is there a good
way to further debug this RPG error?  The hostname clearly matches the
certificate CN.

2017-04-22 12:04:35,932 WARN [Remote Process Group
68ed2275-894d-3d75-b457-9d28a1b680e0:
https://ip-172-31-33-37.ec2.internal:8443/nifi Thread-1]
o.a.n.remote.StandardRemoteProcessGroup Unable to connect to
RemoteProcessGroup[https://ip-172-31-33-37.ec2.internal:8443/nifi] due to
javax.net.ssl.SSLPeerUnverifiedException: Host name '
*ip-172-31-33-37.ec2.internal*' does not match the certificate subject
provided by the peer (CN=*ip-172-31-33-37.ec2.internal*, OU=LZ, O=LZS,
L=Jessup, ST=Maryland, C=US)


--
I know what it is to be in need, and I know what it is to have plenty.  I
have learned the secret of being content in any and every situation,
whether well fed or hungry, whether living in plenty or in want.  I can do
all this through him who gives me strength.    *-Philippians 4:12-13*
Reply | Threaded
Open this post in threaded view
|

Re: Hostname does not match

Joe Gresock
Just to follow up -- apparently if the Subject Alternate Name is set
incorrectly, it will result in this error.  Apparently the CN is ignored if
the SAN is set on the cert.

On Sat, Apr 22, 2017 at 12:08 PM, Joe Gresock <[hidden email]> wrote:

> I've been banging my head against the wall on this one.. is there a good
> way to further debug this RPG error?  The hostname clearly matches the
> certificate CN.
>
> 2017-04-22 12:04:35,932 WARN [Remote Process Group 68ed2275-894d-3d75-b457-9d28a1b680e0:
> https://ip-172-31-33-37.ec2.internal:8443/nifi Thread-1] o.a.n.remote.StandardRemoteProcessGroup
> Unable to connect to RemoteProcessGroup[https://ip-
> 172-31-33-37.ec2.internal:8443/nifi] due to javax.net.ssl.SSLPeerUnverifiedException:
> Host name '*ip-172-31-33-37.ec2.internal*' does not match the certificate
> subject provided by the peer (CN=*ip-172-31-33-37.ec2.internal*, OU=LZ,
> O=LZS, L=Jessup, ST=Maryland, C=US)
>
>
> --
> I know what it is to be in need, and I know what it is to have plenty.  I
> have learned the secret of being content in any and every situation,
> whether well fed or hungry, whether living in plenty or in want.  I can
> do all this through him who gives me strength.    *-Philippians 4:12-13*
>



--
I know what it is to be in need, and I know what it is to have plenty.  I
have learned the secret of being content in any and every situation,
whether well fed or hungry, whether living in plenty or in want.  I can do
all this through him who gives me strength.    *-Philippians 4:12-13*
Reply | Threaded
Open this post in threaded view
|

Re: Hostname does not match

Andy LoPresto-2
Joe,

Sorry I missed this before you diagnosed it yourself. A couple of thoughts:

* Yes, the SAN is supposed to take priority over the CN for hostname verification. This is specified in RFC 2818 [1] among others. 
* If the SAN doesn’t match but the CN and hostname do, that error is frustratingly bad. We need to fix it. 
* I am not sure we enforce this order consistently throughout the application. I know the other day I gave conflicting information on PR 1669 because of just such a situation (hostname matches CN rather than SAN). 

I opened NIFI-3740 to address the error message improvement. 



Andy LoPresto
PGP Fingerprint: 70EC B3E5 98A6 5A3F D3C4  BACE 3C6E F65B 2F7D EF69

On Apr 23, 2017, at 4:42 PM, Joe Gresock <[hidden email]> wrote:

Just to follow up -- apparently if the Subject Alternate Name is set
incorrectly, it will result in this error.  Apparently the CN is ignored if
the SAN is set on the cert.

On Sat, Apr 22, 2017 at 12:08 PM, Joe Gresock <[hidden email]> wrote:

I've been banging my head against the wall on this one.. is there a good
way to further debug this RPG error?  The hostname clearly matches the
certificate CN.

2017-04-22 12:04:35,932 WARN [Remote Process Group 68ed2275-894d-3d75-b457-9d28a1b680e0:
https://ip-172-31-33-37.ec2.internal:8443/nifi Thread-1] o.a.n.remote.StandardRemoteProcessGroup
Unable to connect to RemoteProcessGroup[https://ip-
172-31-33-37.ec2.internal:8443/nifi] due to javax.net.ssl.SSLPeerUnverifiedException:
Host name '*ip-172-31-33-37.ec2.internal*' does not match the certificate
subject provided by the peer (CN=*ip-172-31-33-37.ec2.internal*, OU=LZ,
O=LZS, L=Jessup, ST=Maryland, C=US)


--
I know what it is to be in need, and I know what it is to have plenty.  I
have learned the secret of being content in any and every situation,
whether well fed or hungry, whether living in plenty or in want.  I can
do all this through him who gives me strength.    *-Philippians 4:12-13*




--
I know what it is to be in need, and I know what it is to have plenty.  I
have learned the secret of being content in any and every situation,
whether well fed or hungry, whether living in plenty or in want.  I can do
all this through him who gives me strength.    *-Philippians 4:12-13*


signature.asc (859 bytes) Download Attachment