Solved

Certificate issues with RHEL 6 and SCOM

Posted on 2012-03-14
5
4,845 Views
Last Modified: 2012-08-14
I'm having some issues with installing and discovering Operations Manager agents on RHEL6 servers.

The main issue is with the certificates.

I get some variation of this error:

The server certificate on the destination computer (SERVER1.MYDOMAIN.COM:1270) has the following errors:
The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.    
The SSL certificate contains a common name (CN) that does not match the hostname.

From the SCOM Server:

When installing from the server it fails with the following error:

The server certificate on the destination computer (SERVER1.MYDOMAIN.COM:1270) has the following errors:
The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.    
The SSL certificate contains a common name (CN) that does not match the hostname.

For additional help on this error please go to http://go.microsoft.com/fwlink/?LinkId=148011

However it partially installs and shows that the cert has the following information:
 
# openssl x509 -noout -in /etc/opt/microsoft/scx/ssl/scx.pem -subject -issuer -dates
subject= /DC=COM/DC=MYDOMAIN/CN=SERVER1/CN=SERVER1.MYDOMAIN.COM
issuer= /CN=SCX-Certificate/title=SCX633376D2-E3E2-4f31-8461-D09259ACEF3D/DC=OPSMAN
notBefore=Mar 15 18:36:40 2011 GMT
notAfter=Mar 14 18:35:36 2022 GMT

Open in new window


/opt/microsoft/scx/bin/tools/scxsslconfig -f -v


 So according to the Microsoft support page listed in the error I run the following commands to change the name on the certificates:
/opt/microsoft/scx/bin/tools/scxsslconfig -f -v
 
# /opt/microsoft/scx/bin/tools/scxsslconfig -f -v
Setting debugMode=true
Generated hostname:   "SERVER1" (eGethostname)
Generated domainname: "MYDOMAIN.COM" (eEtcHosts)
 
Host Name:     SERVER1
Domain Name:   MYDOMAIN.COM
Start Days:    -365
End Days:      7300
Cert Length:   2048
Target Path:   /etc/opt/microsoft/scx/ssl
 
Generating certificate with hostname="SERVER1", domainname="MYDOMAIN.COM"
return code = 0
[root@SERVER1 sysconfig]# openssl x509 -noout -in /etc/opt/microsoft/scx/ssl/scx.pem -subject -issuer -dates
subject= /DC=COM/DC=MYDOMAIN/CN=SERVER1/CN=SERVER1.MYDOMAIN.COM
issuer= /DC=COM/DC=MYDOMAIN/CN=SERVER1/CN=SERVER1.MYDOMAIN.COM
notBefore=Mar 15 19:04:12 2011 GMT
notAfter=Mar  9 19:04:12 2032 GMT
[root@SERVER1 sysconfig]# ^
 

Open in new window


 Then I restart the SCX service and then try to rediscover in SCOM. It returns with the following error:

The server certificate on the destination computer (SERVER1.MYDOMAIN.COM:1270) has the following errors:
The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.    
The SSL certificate contains a common name (CN) that does not match the hostname.    
 

/opt/microsoft/scx/bin/tools/scxsslconfig -f -h <hostname> -d <domain.name>

RHEL Server:

[root@SERVER1 myUsrAct]# /opt/microsoft/scx/bin/tools/scxsslconfig -f -h SERVER1 -d MYDOMAIN.COM
Generating certificate with hostname="SERVER1", domainname="MYDOMAIN.COM"
[root@SERVER1 myUsrAct]# /opt/microsoft/scx/bin/tools/scxadmin –restart
Shutting down Microsoft SCX CIM Server: [  OK  ]
Starting Microsoft SCX CIM Server: [  OK  ]
[root@SERVER1 myUsrAct]# openssl x509 -noout -in /etc/opt/microsoft/scx/ssl/scx.pem -subject -issuer –dates
subject= /DC=COM/DC=MYDOMAIN/CN=SERVER1/CN=SERVER1.MYDOMAIN.COM
issuer= /DC=COM/DC=MYDOMAIN/CN=SERVER1/CN=SERVER1.MYDOMAIN.COM
notBefore=Mar 15 20:13:21 2011 GMT
notAfter=Mar  9 20:13:21 2032 GMT

Open in new window


SCOM Server:

root@SERVER1 sysconfig]# /opt/microsoft/scx/bin/tools/scxsslconfig -f -h opsmgr -d MYDOMAIN.COM
Generating certificate with hostname="opsmgr", domainname="MYDOMAIN.COM"
[root@SERVER1 sysconfig]# openssl x509 -noout -in /etc/opt/microsoft/scx/ssl/scx.pem -subject -issuer -dates
subject= /DC=COM/DC=MYDOMAIN/CN=opsmgr/CN=opsmgr.MYDOMAIN.COM
issuer= /DC=COM/DC=MYDOMAIN/CN=opsmgr/CN=opsmgr.MYDOMAIN.COM
notBefore=Mar 15 19:15:17 2011 GMT
notAfter=Mar  9 19:15:17 2032 GMT
[root@SERVER1 sysconfig]# 

Open in new window


Both get the same error when you try and Discover the sever on SCOM:

The certificate Common Name (CN) does not match. Please resolve the issue, and then run the Unix/Linux Discovery Wizard again.
 
The server certificate on the destination computer (SERVER1.MYDOMAIN.COM:1270) has the following errors:
The SSL certificate could not be checked for revocation. The server used to check for revocation might be unreachable.    
The SSL certificate contains a common name (CN) that does not match the hostname.  
 
 

Manual Install:


# rpm -ivh scx-1.0.4-277.rhel.6.x64.rpm 
Preparing...                ########################################### [100%]
   1:scx                    ########################################### [100%]
Generating certificate with hostname="SERVER1", domainname="MYDOMAIN.COM"
Starting Microsoft SCX CIM Server: [  OK  ]
[root@SERVER1 myUsrAct]# openssl x509 -noout -in /etc/opt/microsoft/scx/ssl/scx.pem -subject -issuer -dates
subject= /DC=COM/DC=MYDOMAIN/CN=SERVER1/CN=SERVER1.MYDOMAIN.COM
issuer= /DC=COM/DC=MYDOMAIN/CN=SERVER1/CN=SERVER1.MYDOMAIN.COM
notBefore=Mar 15 19:51:03 2011 GMT
notAfter=Mar  9 19:51:03 2032 GMT

Open in new window


 
The certificate Common Name (CN) does not match. Please resolve the issue, and then run the Unix/Linux Discovery Wizard again.
 
The server certificate on the destination computer (SERVER1.MYDOMAIN.COM:1270) has the following errors:    
The SSL certificate is signed by an unknown certificate authority.  
The SSL certificate contains a common name (CN) that does not match the hostname.

Any suggestions for getting the certs fixed to get monitoring going?
 

=========

Name      Version      Sealed      Date Created      Description            
Red Hat Enterprise Linux Server 6 Operating System      6.1.7000.293      Yes      3/7/2012 10:42:33 AM      Microsoft Red Hat Enterprise Linux Server 6 Operating System Management Pack: This management pack discovers and monitors Red Hat Enterprise Linux Server 6.
0
Comment
Question by:bobstits
  • 3
  • 2
5 Comments
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Is your CA on the windows server, or are you using OpenSSL on the rh6 box to issue self signed certificates?
Did you add the CA certificate into the GPO to be pushed to all systems in the environment?
0
 

Author Comment

by:bobstits
Comment Utility
Arnold,

neither. as far as i'm aware of Operations Manager doesn't need a CA unless it's monitoring systems outside of it's domain, which we are not.

It should also be noted that I have successfully connected a RHEL 5 server to be monitored, but I didn't have to alter the Certs in anyway.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
According to your error the issue is with a certificate that is being presented and an inability to validate whether the certificate has been revoked.
What issued the certificate?
Did you resign the certificate?
http://social.technet.microsoft.com/Forums/en-US/crossplatformgeneral/thread/69e82c79-a8cd-4382-8e4b-9f58dc1f1db4/
Which seems to be part of what you ran, a second suggestion deals with specifying host and other parameters.

Is the hostname on the RHEL system match the encoded hostname in the certificate?

http://social.technet.microsoft.com/wiki/contents/articles/4966.aspx
server1.mydomain.com versus what yours seems to be server1.
try running
hostname
does it say server1.mydomain.com or just server1?
to reset use hostname server1.mydomain.com and see if it alters the behavior.
0
 

Accepted Solution

by:
bobstits earned 0 total points
Comment Utility
i added the server name to the host file on the SCOM server and it no longer gives me this error.
eg:
192.168.1.100   Server1.MYDOMAIN.COM

once i stopped the SCM service and removed it, i was able to push out the agent and have it installed correctly.

for the record: after it was installed the cert looked like this:
# openssl x509 -noout -in /etc/opt/microsoft/scx/ssl/scx.pem -subject -issuer -dates
subject= /DC=COM/DC=MYDOMAIN/CN=SERVER1/CN=SERVER1.MYDOMAIN.COM
issuer= /CN=SCX-Certificate/title=SCX633376D2-E3E2-4f31-8461-D09259ACEF3D/DC=OPSMAN
notBefore=Mar 15 18:36:40 2011 GMT
notAfter=Mar 14 18:35:36 2022 GMT

Open in new window

0
 

Author Closing Comment

by:bobstits
Comment Utility
just wanted to add an update:

another solution, that does not involve the SCOM Hosts file is to edit the /etc/hosts file on the linux server.

the host file prior to editing looked like the following:
192.168.1.100   server1.local server1

When we ran the following command:
#hostname -f

it returned
server1.local

--------

we added the FQDN
192.168.1.100   server1.mydomain.com server1.local server1

#hostname -f
server1.mydomain.com

which is what the SCOM server is expecting.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Hi Everyone Now IIS AppPool issues is something we have always had because of the amazing custom development and in-house applications we have :) The issues we had were getting out of control and it was time to do something about it, just for…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now