Why does Plastic SCM keep asking if I trust the replication server's certificate?

StackOverflow https://stackoverflow.com/questions/19283902

  •  30-06-2022
  •  | 
  •  

Question

I started getting the following prompt each time I run a command like cm status:

cs:630@rep:MyServer@repserver:ssl://<obfuscated>:8088

WARNING: the secure connection hostname provided in the server 
certificate doesn't match the server's hostname. This means that the 
certificate was not issued to this hostname or that there is a network 
configuration problem with this host.

- Certificate hostname: CN=ip-<obfuscated>
- Server hostname: CN=<obfuscated>

If you want to continue connecting to this host, choose 'Yes'. The certificate 
  validation will continue (not recommended).
If you want to abandon the connection, choose 'No' (recommended).

Choose an option (Y)es, (N)o (hitting Enter selects 'No'): Yes

The server you are connecting to has sent a certificate that is not in the 
store. This is normal if it is the first time that you connect to this server.

Certificate details: 
- Issued to: CN=ip-<obfuscated>
- Issued by: CN=ip-<obfuscated>
- Expiration date: 6/30/2023 6:15:40 AM
- Certificate hash: <obfuscated>

If you trust this host, choose 'Yes' to add the key to Plastic SCM's key store 
  (recommended if it is the first time you connect to this server).
If you want to carry on connecting just once, without adding the key to the 
  store, choose 'No'.

If you do not trust this host, choose 'Cancel' to abandon the connection.

Choose an option (Y)es, (N)o, (C)ancel (hitting Enter cancels): Yes

As you can see, it asks twice and I say yes twice each time. Same for the GUI. It appears that the trust relationship is not being remembered. Not sure what to check.

Possible Solution #1: Provide a server certificate that matches the server's hostname.

Was it helpful?

Solution

That happens when you are using an url with the short name of the server ('myserver'),
while the certificate has been issued for the fqn (fully qualified name, like 'myserver.fr.com').

Or vice-versa.

That is why, when I create a (self-signed) certificate, I always mention the complete subjectAltName, with short name and the FQN, as in this openssl config file:

[ v3_ca ]
subjectAltName = DNS:@FQN@, DNS:@HOSTNAME@

That way, your certificate can match multiple hostnames.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top