Unable to register client with local SMT server

Hi.
Previously, we were able to register our client machines with our local registration server instead of NCC. We just did a site move and the only thing that might have changed is the IP address of the server.

Running clientSetup4SMT.sh was ok, certificate was accepted and it shows ‘Client setup finished’
However, after running suse_register -L /root/.suse_register.log, we received the following error:
ERROR: SSL peer certificate or SSH remote key was not OK: (51)
(2)
ERROR: SSL peer certificate or SSH remote key was not OK: (51)
(2)

This, despite re-creating the SMT 11 CA and server certificate following instructions in http://www.novell.com/support/kb/doc.php?id=7006024

Appreciate in advance any help brought forward!

Hi seahcw,

there are a few things that may have gone wrong. I assume you had restarted SMT as it was pointed out in the referenced document, so that the server did pick up the new certificate file, but somehow the client seems to believe that the server certificate does not match the server

Iirc, with curl, error 51 is caused by a mismatch of certificate DN and the server name the request was sent to (i.e. you send your request to “smt.company.com” but the certificate is issued to “server554.company.com”, because that’s the hostname of that server… although DNS gets you to the right server, the certificate does not match.)

Could you please verify the details of the certificate and the server host name used with clientSetup4SMT.sh?

Regards,
Jens

Hi Jens,

Thanks for the reply. As this is only for our local testing, we do not have a FQDN, so we accepted the default of computername.site as per during installation. Therefore, our current setup looks something like:

SMT server hostname (as returned by ‘hostname’) : computername
Common name of the server certificate given during creation: computername.site

However, looking at the output after running clientSetup4SMT.sh, I noticed the following lines:

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
xx:xx:xx:xx:xx:xx:xx:xx
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, CN=YaST Default CA/emailAddress=admin@localhost
Validity
Not Before: Nov 19 13:05:25 2013 GMT
Not After : Nov 19 13:05:25 2023 GMT
Subject: C=US, CN=YaST Default CA/emailAddress=admin@localhost

Seems that there is no indication of our server name anywhere. Is this where things are going wrong?

Regards,
Terry

Hi Terry,

Seems that there is no indication of our server name anywhere. Is this where things are going wrong?

yes and no - the SSL client (the machine you’re trying to connect to your SMT server, via HTTP) checks the host name it tried to connect to, against the host name reported via the certificate. It there’s a mismatch, the (SMT / httpd) server is not trusted, as it could have been some DNS spoofing that made the session go there.

You need to have the exact server name, as used by the SMT client, in the certificate. It will most probably fail if you have “computername” set via the setup script, and “computername.site” in the certificate.

Why “no” as one of the answers above: The subject DN you quoted shows the CA certificate, not the server certificate. You’re downloading the CA certificate to the client, so that the client can verify the actual server certificate (only stored on the SMT server, but sent as part of the SSL negotiation). Thus you might want to look at the CA file as used by the server (or connect to the server by https via some web browser, and look at the certificate- Firefox will show it to you so you can confirm it’s validity manually).

Regards,
Jens

argh - my bad: “Thus you might want to look at the CA file as used by the server” should read “Thus you might want to look at the certificate file as used by the server”.

Regards,
Jens

Hi Jens,

Thanks for your input. I have managed to find out what is the issue. Problem is that I am trying to register to the SMT server, passing the IP address of the SMT server to NCC (i.e 10.110.1.5). However, the certificate is created using the hostname of ‘computer.site’. By adding an entry in /etc/hosts and using the hostname of the server to my SSL client (i.e. https://computername.site/center/revsvc/), the certificate was validated and my registration and connection succeeded.

Regards,
Terry

Hi Terry,

I have managed to find out what is the issue. Problem is that I am trying to register to the SMT server, passing the IP address of the SMT server to NCC (i.e 10.110.1.5). However, the certificate is created using the hostname of ‘computer.site’

Thanks for reporting back, and good to see you got it up & running!

Regards,
Jens