Summary

 

FoxT Control Center (FCC) installation gives certificate failure messages and users attempting to log in to FCC are presented with the error:


java.security.cert.CertificateException: no name matching found

 

Issue

 

This issue is caused when the hostname in the certificate and that returned by the DNS resolver are not the same.

 

This situation can depend on a number of factors, including:

  • how "hosts" is configured in /etc/nsswitch.conf - the hostname resolution behavior depends on this.
  • The /etc/hosts file - typically we want the FQDN listed before the non-qualified name for the host in this file. This is relevant if "files" comes before "dns" in /etc/nsswitch.conf.
  • hostname - is the hostname defined as the FQDN or non-qualified nodename?
  • host certificate - host certificates are by default created (by BoKS Manager) with the hostname in the commonName (CN) attribute. This can easily be changed by using the mkhostvc.sh (custom) script.
  • The AdminServerURL parameter in $BCCPS_etc/bcc.properties (e.g. /etc/opt/bccps/bcc.properties) - is the hostname in URL specified as a FQDN or a plain nodename.
  • OS platform and release - different Operating Systems may behave slightly differently when it comes to address resolution.

 

Resolution / Workaround

 

To avoid errors of this kind, use the FQDN in certificates, for the AdminServerURL parameter in bcc.properties, and as the first name for the host in /etc/hosts.

Having the FQDN in the host certificate may be a requirement for the end-user's Web Browser to accept the certificate (once the CA issuer is known or accepted). However that will only work if the resolver (on the user's workstation) will return the FQDN of the server (in both forward and reverse lookups).


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 30, 2018