Environment
ZENworks Configuration Management 2020 Appliance
Situation
When using YAST to register the appliance to a local SMT server the following error occurs
"Error
"Error
Secure connection error: https://<hostname.domain>/ : hostname "<hostname.domain>" does not match the server certificate"
When using curl to access the server via HTTPS
# curl -v https://<hostname.domain>/
the following error occurs
curl: (51) SSL: no alternative certificate subject name matches target host name '<hostname.domain>'
curl: (51) SSL: no alternative certificate subject name matches target host name '<hostname.domain>'
The certificate itself is correct and is trusted by other applications and services. But the certificate does not have an entry for DNS name containing the CN of the server in Subject Alternative Name (SAN), however it contains an entry for IP address of the server.
Resolution
There are several options to address this issue.
1. Register the appliance to the local SMT service using HTTP instead of HTTPS. Since the communication between the Zenworks appliance and SMT normally happens within a protected network. This option can be considered as secure.
2. Generate a new certificate for the SMT server which contains DNS name in Subject Alternative Name (SAN)
Cause
The curl version 7.60 in the 2020 Appliance ignores the CN, but looks for DNS name in Subject Alternative Name (SAN).
Additional Information
This is not a defect.
Older curl versions may work.
Due to RFC6125 Section 6.4.4
https://tools.ietf.org/html/rfc6125#section-6.4.4
As noted, a client MUST NOT seek a match for a reference identifier
of CN-ID if the presented identifiers include a DNS-ID, SRV-ID,
URI-ID, or any application-specific identifier types supported by the
client.
of CN-ID if the presented identifiers include a DNS-ID, SRV-ID,
URI-ID, or any application-specific identifier types supported by the
client.
Therefore, if and only if the presented identifiers do not include a
DNS-ID, SRV-ID, URI-ID, or any application-specific identifier types
supported by the client, then the client MAY as a last resort check
for a string whose form matches that of a fully qualified DNS domain
name in a Common Name field of the subject field (i.e., a CN-ID).
DNS-ID, SRV-ID, URI-ID, or any application-specific identifier types
supported by the client, then the client MAY as a last resort check
for a string whose form matches that of a fully qualified DNS domain
name in a Common Name field of the subject field (i.e., a CN-ID).