[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5437
  • Last Modified:

Certificate issues with RHEL 6 and SCOM

I'm having some issues with installing and discovering Operations Manager agents on RHEL6 servers.

The main issue is with the certificates.

I get some variation of this error:

The server certificate on the destination computer (SERVER1.MYDOMAIN.COM:1270) has the following errors:
The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.    
The SSL certificate contains a common name (CN) that does not match the hostname.

From the SCOM Server:

When installing from the server it fails with the following error:

The server certificate on the destination computer (SERVER1.MYDOMAIN.COM:1270) has the following errors:
The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.    
The SSL certificate contains a common name (CN) that does not match the hostname.

For additional help on this error please go to http://go.microsoft.com/fwlink/?LinkId=148011

However it partially installs and shows that the cert has the following information:
 
# openssl x509 -noout -in /etc/opt/microsoft/scx/ssl/scx.pem -subject -issuer -dates
subject= /DC=COM/DC=MYDOMAIN/CN=SERVER1/CN=SERVER1.MYDOMAIN.COM
issuer= /CN=SCX-Certificate/title=SCX633376D2-E3E2-4f31-8461-D09259ACEF3D/DC=OPSMAN
notBefore=Mar 15 18:36:40 2011 GMT
notAfter=Mar 14 18:35:36 2022 GMT

Open in new window


/opt/microsoft/scx/bin/tools/scxsslconfig -f -v


 So according to the Microsoft support page listed in the error I run the following commands to change the name on the certificates:
/opt/microsoft/scx/bin/tools/scxsslconfig -f -v
 
# /opt/microsoft/scx/bin/tools/scxsslconfig -f -v
Setting debugMode=true
Generated hostname:   "SERVER1" (eGethostname)
Generated domainname: "MYDOMAIN.COM" (eEtcHosts)
 
Host Name:     SERVER1
Domain Name:   MYDOMAIN.COM
Start Days:    -365
End Days:      7300
Cert Length:   2048
Target Path:   /etc/opt/microsoft/scx/ssl
 
Generating certificate with hostname="SERVER1", domainname="MYDOMAIN.COM"
return code = 0
[root@SERVER1 sysconfig]# openssl x509 -noout -in /etc/opt/microsoft/scx/ssl/scx.pem -subject -issuer -dates
subject= /DC=COM/DC=MYDOMAIN/CN=SERVER1/CN=SERVER1.MYDOMAIN.COM
issuer= /DC=COM/DC=MYDOMAIN/CN=SERVER1/CN=SERVER1.MYDOMAIN.COM
notBefore=Mar 15 19:04:12 2011 GMT
notAfter=Mar  9 19:04:12 2032 GMT
[root@SERVER1 sysconfig]# ^
 

Open in new window


 Then I restart the SCX service and then try to rediscover in SCOM. It returns with the following error:

The server certificate on the destination computer (SERVER1.MYDOMAIN.COM:1270) has the following errors:
The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.    
The SSL certificate contains a common name (CN) that does not match the hostname.    
 

/opt/microsoft/scx/bin/tools/scxsslconfig -f -h <hostname> -d <domain.name>

RHEL Server:

[root@SERVER1 myUsrAct]# /opt/microsoft/scx/bin/tools/scxsslconfig -f -h SERVER1 -d MYDOMAIN.COM
Generating certificate with hostname="SERVER1", domainname="MYDOMAIN.COM"
[root@SERVER1 myUsrAct]# /opt/microsoft/scx/bin/tools/scxadmin –restart
Shutting down Microsoft SCX CIM Server: [  OK  ]
Starting Microsoft SCX CIM Server: [  OK  ]
[root@SERVER1 myUsrAct]# openssl x509 -noout -in /etc/opt/microsoft/scx/ssl/scx.pem -subject -issuer –dates
subject= /DC=COM/DC=MYDOMAIN/CN=SERVER1/CN=SERVER1.MYDOMAIN.COM
issuer= /DC=COM/DC=MYDOMAIN/CN=SERVER1/CN=SERVER1.MYDOMAIN.COM
notBefore=Mar 15 20:13:21 2011 GMT
notAfter=Mar  9 20:13:21 2032 GMT

Open in new window


SCOM Server:

root@SERVER1 sysconfig]# /opt/microsoft/scx/bin/tools/scxsslconfig -f -h opsmgr -d MYDOMAIN.COM
Generating certificate with hostname="opsmgr", domainname="MYDOMAIN.COM"
[root@SERVER1 sysconfig]# openssl x509 -noout -in /etc/opt/microsoft/scx/ssl/scx.pem -subject -issuer -dates
subject= /DC=COM/DC=MYDOMAIN/CN=opsmgr/CN=opsmgr.MYDOMAIN.COM
issuer= /DC=COM/DC=MYDOMAIN/CN=opsmgr/CN=opsmgr.MYDOMAIN.COM
notBefore=Mar 15 19:15:17 2011 GMT
notAfter=Mar  9 19:15:17 2032 GMT
[root@SERVER1 sysconfig]# 

Open in new window


Both get the same error when you try and Discover the sever on SCOM:

The certificate Common Name (CN) does not match. Please resolve the issue, and then run the Unix/Linux Discovery Wizard again.
 
The server certificate on the destination computer (SERVER1.MYDOMAIN.COM:1270) has the following errors:
The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.    
The SSL certificate contains a common name (CN) that does not match the hostname.  
 
 

Manual Install:


# rpm -ivh scx-1.0.4-277.rhel.6.x64.rpm 
Preparing...                ########################################### [100%]
   1:scx                    ########################################### [100%]
Generating certificate with hostname="SERVER1", domainname="MYDOMAIN.COM"
Starting Microsoft SCX CIM Server: [  OK  ]
[root@SERVER1 myUsrAct]# openssl x509 -noout -in /etc/opt/microsoft/scx/ssl/scx.pem -subject -issuer -dates
subject= /DC=COM/DC=MYDOMAIN/CN=SERVER1/CN=SERVER1.MYDOMAIN.COM
issuer= /DC=COM/DC=MYDOMAIN/CN=SERVER1/CN=SERVER1.MYDOMAIN.COM
notBefore=Mar 15 19:51:03 2011 GMT
notAfter=Mar  9 19:51:03 2032 GMT

Open in new window


 
The certificate Common Name (CN) does not match. Please resolve the issue, and then run the Unix/Linux Discovery Wizard again.
 
The server certificate on the destination computer (SERVER1.MYDOMAIN.COM:1270) has the following errors:    
The SSL certificate is signed by an unknown certificate authority.  
The SSL certificate contains a common name (CN) that does not match the hostname.

Any suggestions for getting the certs fixed to get monitoring going?
 

=========

Name      Version      Sealed      Date Created      Description            
Red Hat Enterprise Linux Server 6 Operating System      6.1.7000.293      Yes      3/7/2012 10:42:33 AM      Microsoft Red Hat Enterprise Linux Server 6 Operating System Management Pack: This management pack discovers and monitors Red Hat Enterprise Linux Server 6.
0
bobstits
Asked:
bobstits
  • 3
  • 2
1 Solution
 
arnoldCommented:
Is your CA on the windows server, or are you using OpenSSL on the rh6 box to issue self signed certificates?
Did you add the CA certificate into the GPO to be pushed to all systems in the environment?
0
 
bobstitsAuthor Commented:
Arnold,

neither. as far as i'm aware of Operations Manager doesn't need a CA unless it's monitoring systems outside of it's domain, which we are not.

It should also be noted that I have successfully connected a RHEL 5 server to be monitored, but I didn't have to alter the Certs in anyway.
0
 
arnoldCommented:
According to your error the issue is with a certificate that is being presented and an inability to validate whether the certificate has been revoked.
What issued the certificate?
Did you resign the certificate?
http://social.technet.microsoft.com/Forums/en-US/crossplatformgeneral/thread/69e82c79-a8cd-4382-8e4b-9f58dc1f1db4/
Which seems to be part of what you ran, a second suggestion deals with specifying host and other parameters.

Is the hostname on the RHEL system match the encoded hostname in the certificate?

http://social.technet.microsoft.com/wiki/contents/articles/4966.aspx
server1.mydomain.com versus what yours seems to be server1.
try running
hostname
does it say server1.mydomain.com or just server1?
to reset use hostname server1.mydomain.com and see if it alters the behavior.
0
 
bobstitsAuthor Commented:
i added the server name to the host file on the SCOM server and it no longer gives me this error.
eg:
192.168.1.100   Server1.MYDOMAIN.COM

once i stopped the SCM service and removed it, i was able to push out the agent and have it installed correctly.

for the record: after it was installed the cert looked like this:
# openssl x509 -noout -in /etc/opt/microsoft/scx/ssl/scx.pem -subject -issuer -dates
subject= /DC=COM/DC=MYDOMAIN/CN=SERVER1/CN=SERVER1.MYDOMAIN.COM
issuer= /CN=SCX-Certificate/title=SCX633376D2-E3E2-4f31-8461-D09259ACEF3D/DC=OPSMAN
notBefore=Mar 15 18:36:40 2011 GMT
notAfter=Mar 14 18:35:36 2022 GMT

Open in new window

0
 
bobstitsAuthor Commented:
just wanted to add an update:

another solution, that does not involve the SCOM Hosts file is to edit the /etc/hosts file on the linux server.

the host file prior to editing looked like the following:
192.168.1.100   server1.local server1

When we ran the following command:
#hostname -f

it returned
server1.local

--------

we added the FQDN
192.168.1.100   server1.mydomain.com server1.local server1

#hostname -f
server1.mydomain.com

which is what the SCOM server is expecting.
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now