Hostname/IP Does not Match Certificate's altnames Which Breaks the Communication to Management Plane

Problem

Comms not able to communicate to management plane and throwing the following error.

[2023-09-03 14:29:35.144] [ERROR] sni-broker.v0.mgplane.pf9.localnet-::1-5672-4 - TLS socket for client 28180 error: Error [ERR_TLS_CERT_
ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: Host: broker.v0.mgplane.pf9.localnet. is not cert's CN: mgplane.pf9.localnet

Environment

Platform9 Edge Cloud - v-5.3.0-2075501

Cause

Host agent config file is not updated with the cert_version parameter which leads comms to use an older cert version.

root@worker0 ~]# cat /etc/pf9/hostagent.conf
[hostagent]

[ssl]
cert_version=
disable=True

From error message [2023-09-03 14:29:35.144] [ERROR] sni-broker.v0.mgplane.pf9.localnet-::1-5672-4 - TLS socket for client 28180 error.The sni-broker.v0 indicates it is referring to cert version v0.

Resolution

Identify the latest cert_version.

[root@mgplane ~]# ls -ltr /etc/pf9/certs/
total 12
drwxr-xr-x  2 root root  109 Mar 30  2022 web_test_ca
drwxr-xr-x 27 root root 4096 Jul  6 04:47 v1
drwxr-xr-x 27 root root 4096 Jul  6 04:47 v2
drwxr-xr-x 27 root root 4096 Jul  6 04:47 v3  <<---- Latest version

Update the hostagent.conf file

vi /etc/pf9/hostagent.conf

[hostagent]

[ssl]
cert_version=v3 <--- Add the latest version here.
disable=True

Restart the services.

# systemctl restart pf9-comms.servcie
# systemctl restart pf9-sidekick.servcie
# systemctl restart pf9-hostagent.servcie

PreviousNodelet Phase got Stuck at Cert Generation Phase due to no Response from Vault.NextCertificate Generation Fails Since Host CA Validity Is Less Than The Amount Of TTL With Which Certif

Last updated 4 months ago

Good morning

hashtagProblem

hashtagEnvironment

hashtagCause

hashtagResolution

hashtag

Problem

Environment

Cause

Resolution