Portal services fail to start after SSL Certificates are imported
search cancel

Portal services fail to start after SSL Certificates are imported

book

Article ID: 387733

calendar_today

Updated On:

Products

Network Observability CA Performance Management

Issue/Introduction

CA signed certificate with FQHN SAN configured and services not starting.

DX NetOps Portal web server services fail to start after importing CA Signed Certificates using SslConfig command.

DX NetOps Portal web server services fail to start after importing CA Signed Certificates using manual commands.

DX NetOps Portal web server caperfcenter_console console (PC) service fails to start after importing CA Signed Certificates using SslConfig command.

DX NetOps Portal web server caperfcenter_console console (PC) service fails to start after importing CA Signed Certificates using manual commands.

The following errors might be seen in the various service log files. 

From the Console PCService.log file we might see these errors.

WARN  | qtp1785216135-24         | 2025-02-04 15:14:57,770 | org.eclipse.jetty.server.HttpChannel                            
      | handleException /dm/rib/ org.eclipse.jetty.http.BadMessageException: 400: Invalid SNI

ERROR | pool-4-thread-2          | 2025-02-04 15:14:58,941 | com.ca.im.portal.api.services.datasource.DataSourcePoll          
      | Received WebServiceException from version check for data source EventManager@<shortHostName>.  CAUSE=javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching host found.. MESSAGE=Could not send Message..  Returning DS_COMM_SSL_HANDSHAKE_FAILURE result.

ERROR | pool-4-thread-2          | 2025-02-04 15:14:58,941 | com.ca.im.portal.dm.productsync.DataSourcePoller                
      |
An error occurred during a sync request with Data source DS(2) EventManager@<shortHostName>: additional info: enum.datasourceerror.DS_COMM_SSL_HANDSHAKE_FAILURE.  The following stack trace shows the context of the sync request:
com.ca.im.portal.api.services.interfaces.datasource.DataSourceOp$Exception: enum.datasourceerror.DS_COMM_SSL_HANDSHAKE_FAILURE
...
ERROR | pool-4-thread-2          | 2025-02-04 15:14:58,945 | com.ca.im.portal.api.common.services.impl.rest.RestHelper        
      | Failed to send rest POST https://<shortHostName>:443/pc/center/webservice/events/createsyncevent?type=Synchronization&subtype=SyncFailure&severity=Critical&message=DATA_SOURCE_SYNC_FAILURE&p=currversion%3Dunknown&p=dsname%3DEventManager%40host
ERROR | pool-4-thread-2          | 2025-02-04 15:14:58,945 | com.ca.im.portal.dm.productsync.SyncPhaseExecutor                
      | Aborting sync phase for DataSource EventManager@host because an exception occurred: com.ca.im.portal.api.services.interfaces.datasource.DataSourceOp$Exception: enum.datasourceerror.DS_COMM_SSL_HANDSHAKE_FAILURE

From the Event Manager EMService.log file.

WARN  | AlarmService/SpectrumHeartbeatTask-0 | 2025-02-04 15:09:35,942 | com.ca.im.portal.api.services.datasource.DataSourceRSClientDAO  
      | Data Retrieval Failure Exception: jakarta.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://<shortHostName>:8482/dm/dst/: No subject alternative DNS name matching host found.
ERROR | AlarmService/SpectrumHeartbeatTask-0 | 2025-02-04 15:09:35,942 | com.ca.im.portal.api.services.datasource.DataSourceService      
      | Error: Initializing data source repository: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://<shortHostName>:8482/dm/dst/: No subject alternative DNS name matching host found.

Environment

All supported DX NetOps Portal releases

Cause

Configuration files are created based on the hostname command response from the OS during installation. If the OS returns the short name, if the short name is not a valid SAN in the SSL certificate, this problem will be seen.

Resolution

To resolve this long term ensure the following. Any future runs of the SslConfig command will trigger this problem by resetting the properties files with the OS response to the hostname command.

  • The OS hostname is set with the FQHN
  • The SSL Cert contains all possible SAN names the server might be called with. Include FQHN and short names along with required vanity names.

To resolve the issue post signed certificate imports, edit the properties files and set the FQHN where short name is used.

See KB article The NetOps Portal caperfcenter_console service is using the incorrect name to reach out to the DM service for complete steps.

Powered by Wolken Software