When attempting to add a certificate to OpsManager, configuration fails with a "hostname does not match" error when saving changes. This issue can occur in the OpenStack environment which requires specifying the Authentication URL to keystone endpoint on OpenStack.

Error Message:

Identity ---- https://<IP address>:5000/v2.0

Please review the errors below 
hostname "<IP address>" does not match the server certificate 
All errors will be reverified before installation.

This can be caused by the certificate being signed with CN=FQDN while the endpoint uses the IP address.

This issue happens when Operations Manager gets an authtoken from the identity endpoint. The endpoint to check storage groups in Openstack is discovered from the authenticate endpoint and if the discovered endpoint uses an IP address then this will mismatch the certificate which uses FQDN as the CN.

This can be fixed either by changing the endpoint or re-signing the certificate so that both are using the same format.

1. Confirm hostnames (CN= field) used in the certificate by running the command

openssl x509 -in pcf-s3.crt -noout -text

2. Display certificate when connecting to the endpoint

openssl s_client -showcerts -connect <endpoint address>

3. Verify settings for any endpoint configured in Openstack Config from Director Tile from Operations Manager. If the customer is using OpenStack then verify "Authentication URL" and whether it is using an IP address or FQDN. If the customer is using the S3 blobstore, then verify this endpoint as well.

4. Verify any endpoints configured on OpenStack (keystone, neutron, etc.) and whether they use an IP address or FQDN.

5. If there is a mismatch found by using the steps above then the easiest solution will be to change the endpoints so that they match the hostname used in the certificate. For instance, if a certificate uses FQDN, then endpoints should also be configured as FQDN. If a certificate uses an IP address for the CN field, then the endpoint should also use an IP address.