6 Replies Latest reply on Aug 13, 2015 1:39 PM by Zsoldier

    vROps SSL Cert Errors

    Zsoldier Expert
    vExpert

      I seem to have noticed that creating a signed cert w/ a C-Name as the common name rather than the master node's A-record causes me to get cert errors even though the cert is valid.  Doing the reverse ends up w/ the same result.

       

      The only time the cert shows as 'valid' is when I connect to the master node via it's IP or A record shown @ the consoles login screen.  Is this normal behavior?  I feel that it may be a bug as I did not see these issues w/ 5.8.

       

      For example:

      Master Node IP: 192.168.1.50

      Master Node A Record: vropsmaster-node.localdom.com

      Master Node C Name: vrops.localdom.com

       

      Certificate Info:

      Common Name: vrops.localdom.com

      Subject Alternative Name(s):

      DNS: vropsmaster-node.localdom.com

      IP: 192.168.1.50

       

       

      In this case, vropsmaster-node.localdom.com and 192.168.1.50 come back as having valid certificates.  Trying to connect to vrops.localdom.com has Chrome, IE, and Safari returning with host name mismatch errors for the cert.  Screenshot from Safari attached.

        • 1. Re: vROps SSL Cert Errors
          mark.j Master
          VMware Employees

          Is this a SAN cert?

          • 2. Re: vROps SSL Cert Errors
            Zsoldier Expert
            vExpert

            yes

            • 3. Re: vROps SSL Cert Errors
              mark.j Master
              VMware Employees

              I'm curious what fields are populated in the SAN Cert. Did you put the IP in it as per your thread above? My normal commands to gen a SAN csr is as follows:


              openssl genrsa -des3 -out cluster.key 2048


               

              openssl req -new -key cluster.key -sha256 -nodes

                -subj '/C=US/ST=New York/L=New York/O=Hosting/OU=Team/CN=www.cluster.com/

                       emailAddress=administrative-not-existent-address@cluster.com/

                       subjectAltName=DNS.1=node1.cluster.com,

                       DNS.2=node2.cluster.com’ > cluster.csr

              • 4. Re: vROps SSL Cert Errors
                Zsoldier Expert
                vExpert

                Here is an example of the cfg file I'm using to create the CSR:

                [ req ]

                default_bits = 2048

                default_keyfile = rui.key

                distinguished_name = req_distinguished_name

                encrypt_key = no

                prompt = no

                string_mask = nombstr

                req_extensions = v3_req

                 

                 

                [ v3_req ]

                basicConstraints = CA:FALSE

                keyUsage = digitalSignature, keyEncipherment, dataEncipherment

                extendedKeyUsage = serverAuth, clientAuth

                # Edit below to match your needed config

                subjectAltName = DNS:vrops, IP:192.168.1.50,DNS:vropsmaster.localdom.com

                 

                 

                [ req_distinguished_name ]

                countryName = US

                # Update w/ your location's information

                stateOrProvinceName = Georgia

                localityName = Atlanta

                0.organizationName = TakeAGuess

                organizationalUnitName = MyGroup

                # Change below

                commonName = vrops.localdom.com

                emailAddress = me@test.com

                 

                OpenSSL command to generate the CSR

                D:\OpenSSL-Win32\bin\openssl req -out %location%%certname%.csr -new -newkey rsa:2048 -nodes -keyout %location%%certname%.key -config %location%%certname%.cfg

                • 5. Re: vROps SSL Cert Errors
                  mark.j Master
                  VMware Employees

                  Drop the IP and shortname from the cert's subject alt names.. I've never added non-FQDN in there before and if I was a betting man our QE didn't test for it either. Just add the FQDN of the master and see what it does..

                  • 6. Re: vROps SSL Cert Errors
                    Zsoldier Expert
                    vExpert

                    Ok, I figured it out.

                     

                    Change Common Name to that of the vropsmaster node and made the C-Name 'alias' as a SAN entry.  That solved the issue.

                     

                    So like above:

                    subjectAltName = DNS:vrops, IP:192.168.1.50,DNS:vrops.localdom.com

                     

                     

                    [ req_distinguished_name ]

                    countryName = US

                    # Update w/ your location's information

                    stateOrProvinceName = Georgia

                    localityName = Atlanta

                    0.organizationName = TakeAGuess

                    organizationalUnitName = MyGroup

                    # Change below

                    commonName = vropsmaster.localdom.com

                    emailAddress = me@test.com