Solved

Certificate issues with RHEL 6 and SCOM

Posted on 2012-03-14
5
5,083 Views
Last Modified: 2012-08-14
I'm having some issues with installing and discovering Operations Manager agents on RHEL6 servers.

The main issue is with the certificates.

I get some variation of this error:

The server certificate on the destination computer (SERVER1.MYDOMAIN.COM:1270) has the following errors:
The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.    
The SSL certificate contains a common name (CN) that does not match the hostname.

From the SCOM Server:

When installing from the server it fails with the following error:

The server certificate on the destination computer (SERVER1.MYDOMAIN.COM:1270) has the following errors:
The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.    
The SSL certificate contains a common name (CN) that does not match the hostname.

For additional help on this error please go to http://go.microsoft.com/fwlink/?LinkId=148011

However it partially installs and shows that the cert has the following information:
 
# openssl x509 -noout -in /etc/opt/microsoft/scx/ssl/scx.pem -subject -issuer -dates
subject= /DC=COM/DC=MYDOMAIN/CN=SERVER1/CN=SERVER1.MYDOMAIN.COM
issuer= /CN=SCX-Certificate/title=SCX633376D2-E3E2-4f31-8461-D09259ACEF3D/DC=OPSMAN
notBefore=Mar 15 18:36:40 2011 GMT
notAfter=Mar 14 18:35:36 2022 GMT

Open in new window


/opt/microsoft/scx/bin/tools/scxsslconfig -f -v


 So according to the Microsoft support page listed in the error I run the following commands to change the name on the certificates:
/opt/microsoft/scx/bin/tools/scxsslconfig -f -v
 
# /opt/microsoft/scx/bin/tools/scxsslconfig -f -v
Setting debugMode=true
Generated hostname:   "SERVER1" (eGethostname)
Generated domainname: "MYDOMAIN.COM" (eEtcHosts)
 
Host Name:     SERVER1
Domain Name:   MYDOMAIN.COM
Start Days:    -365
End Days:      7300
Cert Length:   2048
Target Path:   /etc/opt/microsoft/scx/ssl
 
Generating certificate with hostname="SERVER1", domainname="MYDOMAIN.COM"
return code = 0
[root@SERVER1 sysconfig]# openssl x509 -noout -in /etc/opt/microsoft/scx/ssl/scx.pem -subject -issuer -dates
subject= /DC=COM/DC=MYDOMAIN/CN=SERVER1/CN=SERVER1.MYDOMAIN.COM
issuer= /DC=COM/DC=MYDOMAIN/CN=SERVER1/CN=SERVER1.MYDOMAIN.COM
notBefore=Mar 15 19:04:12 2011 GMT
notAfter=Mar  9 19:04:12 2032 GMT
[root@SERVER1 sysconfig]# ^
 

Open in new window


 Then I restart the SCX service and then try to rediscover in SCOM. It returns with the following error:

The server certificate on the destination computer (SERVER1.MYDOMAIN.COM:1270) has the following errors:
The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.    
The SSL certificate contains a common name (CN) that does not match the hostname.    
 

/opt/microsoft/scx/bin/tools/scxsslconfig -f -h <hostname> -d <domain.name>

RHEL Server:

[root@SERVER1 myUsrAct]# /opt/microsoft/scx/bin/tools/scxsslconfig -f -h SERVER1 -d MYDOMAIN.COM
Generating certificate with hostname="SERVER1", domainname="MYDOMAIN.COM"
[root@SERVER1 myUsrAct]# /opt/microsoft/scx/bin/tools/scxadmin –restart
Shutting down Microsoft SCX CIM Server: [  OK  ]
Starting Microsoft SCX CIM Server: [  OK  ]
[root@SERVER1 myUsrAct]# openssl x509 -noout -in /etc/opt/microsoft/scx/ssl/scx.pem -subject -issuer –dates
subject= /DC=COM/DC=MYDOMAIN/CN=SERVER1/CN=SERVER1.MYDOMAIN.COM
issuer= /DC=COM/DC=MYDOMAIN/CN=SERVER1/CN=SERVER1.MYDOMAIN.COM
notBefore=Mar 15 20:13:21 2011 GMT
notAfter=Mar  9 20:13:21 2032 GMT

Open in new window


SCOM Server:

root@SERVER1 sysconfig]# /opt/microsoft/scx/bin/tools/scxsslconfig -f -h opsmgr -d MYDOMAIN.COM
Generating certificate with hostname="opsmgr", domainname="MYDOMAIN.COM"
[root@SERVER1 sysconfig]# openssl x509 -noout -in /etc/opt/microsoft/scx/ssl/scx.pem -subject -issuer -dates
subject= /DC=COM/DC=MYDOMAIN/CN=opsmgr/CN=opsmgr.MYDOMAIN.COM
issuer= /DC=COM/DC=MYDOMAIN/CN=opsmgr/CN=opsmgr.MYDOMAIN.COM
notBefore=Mar 15 19:15:17 2011 GMT
notAfter=Mar  9 19:15:17 2032 GMT
[root@SERVER1 sysconfig]# 

Open in new window


Both get the same error when you try and Discover the sever on SCOM:

The certificate Common Name (CN) does not match. Please resolve the issue, and then run the Unix/Linux Discovery Wizard again.
 
The server certificate on the destination computer (SERVER1.MYDOMAIN.COM:1270) has the following errors:
The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.    
The SSL certificate contains a common name (CN) that does not match the hostname.  
 
 

Manual Install:


# rpm -ivh scx-1.0.4-277.rhel.6.x64.rpm 
Preparing...                ########################################### [100%]
   1:scx                    ########################################### [100%]
Generating certificate with hostname="SERVER1", domainname="MYDOMAIN.COM"
Starting Microsoft SCX CIM Server: [  OK  ]
[root@SERVER1 myUsrAct]# openssl x509 -noout -in /etc/opt/microsoft/scx/ssl/scx.pem -subject -issuer -dates
subject= /DC=COM/DC=MYDOMAIN/CN=SERVER1/CN=SERVER1.MYDOMAIN.COM
issuer= /DC=COM/DC=MYDOMAIN/CN=SERVER1/CN=SERVER1.MYDOMAIN.COM
notBefore=Mar 15 19:51:03 2011 GMT
notAfter=Mar  9 19:51:03 2032 GMT

Open in new window


 
The certificate Common Name (CN) does not match. Please resolve the issue, and then run the Unix/Linux Discovery Wizard again.
 
The server certificate on the destination computer (SERVER1.MYDOMAIN.COM:1270) has the following errors:    
The SSL certificate is signed by an unknown certificate authority.  
The SSL certificate contains a common name (CN) that does not match the hostname.

Any suggestions for getting the certs fixed to get monitoring going?
 

=========

Name      Version      Sealed      Date Created      Description            
Red Hat Enterprise Linux Server 6 Operating System      6.1.7000.293      Yes      3/7/2012 10:42:33 AM      Microsoft Red Hat Enterprise Linux Server 6 Operating System Management Pack: This management pack discovers and monitors Red Hat Enterprise Linux Server 6.
0
Comment
Question by:bobstits
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 78

Expert Comment

by:arnold
ID: 37723249
Is your CA on the windows server, or are you using OpenSSL on the rh6 box to issue self signed certificates?
Did you add the CA certificate into the GPO to be pushed to all systems in the environment?
0
 

Author Comment

by:bobstits
ID: 37724643
Arnold,

neither. as far as i'm aware of Operations Manager doesn't need a CA unless it's monitoring systems outside of it's domain, which we are not.

It should also be noted that I have successfully connected a RHEL 5 server to be monitored, but I didn't have to alter the Certs in anyway.
0
 
LVL 78

Expert Comment

by:arnold
ID: 37725446
According to your error the issue is with a certificate that is being presented and an inability to validate whether the certificate has been revoked.
What issued the certificate?
Did you resign the certificate?
http://social.technet.microsoft.com/Forums/en-US/crossplatformgeneral/thread/69e82c79-a8cd-4382-8e4b-9f58dc1f1db4/
Which seems to be part of what you ran, a second suggestion deals with specifying host and other parameters.

Is the hostname on the RHEL system match the encoded hostname in the certificate?

http://social.technet.microsoft.com/wiki/contents/articles/4966.aspx
server1.mydomain.com versus what yours seems to be server1.
try running
hostname
does it say server1.mydomain.com or just server1?
to reset use hostname server1.mydomain.com and see if it alters the behavior.
0
 

Accepted Solution

by:
bobstits earned 0 total points
ID: 37726195
i added the server name to the host file on the SCOM server and it no longer gives me this error.
eg:
192.168.1.100   Server1.MYDOMAIN.COM

once i stopped the SCM service and removed it, i was able to push out the agent and have it installed correctly.

for the record: after it was installed the cert looked like this:
# openssl x509 -noout -in /etc/opt/microsoft/scx/ssl/scx.pem -subject -issuer -dates
subject= /DC=COM/DC=MYDOMAIN/CN=SERVER1/CN=SERVER1.MYDOMAIN.COM
issuer= /CN=SCX-Certificate/title=SCX633376D2-E3E2-4f31-8461-D09259ACEF3D/DC=OPSMAN
notBefore=Mar 15 18:36:40 2011 GMT
notAfter=Mar 14 18:35:36 2022 GMT

Open in new window

0
 

Author Closing Comment

by:bobstits
ID: 37741245
just wanted to add an update:

another solution, that does not involve the SCOM Hosts file is to edit the /etc/hosts file on the linux server.

the host file prior to editing looked like the following:
192.168.1.100   server1.local server1

When we ran the following command:
#hostname -f

it returned
server1.local

--------

we added the FQDN
192.168.1.100   server1.mydomain.com server1.local server1

#hostname -f
server1.mydomain.com

which is what the SCOM server is expecting.
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question