Why does Plastic SCM keep asking if I trust the re

2019-05-24 10:08发布

I started getting the following prompt each time I run a command like cm status:

cs:630@rep:MyServer@repserver:ssl://<obfuscated>:8088

WARNING: the secure connection hostname provided in the server 
certificate doesn't match the server's hostname. This means that the 
certificate was not issued to this hostname or that there is a network 
configuration problem with this host.

- Certificate hostname: CN=ip-<obfuscated>
- Server hostname: CN=<obfuscated>

If you want to continue connecting to this host, choose 'Yes'. The certificate 
  validation will continue (not recommended).
If you want to abandon the connection, choose 'No' (recommended).

Choose an option (Y)es, (N)o (hitting Enter selects 'No'): Yes

The server you are connecting to has sent a certificate that is not in the 
store. This is normal if it is the first time that you connect to this server.

Certificate details: 
- Issued to: CN=ip-<obfuscated>
- Issued by: CN=ip-<obfuscated>
- Expiration date: 6/30/2023 6:15:40 AM
- Certificate hash: <obfuscated>

If you trust this host, choose 'Yes' to add the key to Plastic SCM's key store 
  (recommended if it is the first time you connect to this server).
If you want to carry on connecting just once, without adding the key to the 
  store, choose 'No'.

If you do not trust this host, choose 'Cancel' to abandon the connection.

Choose an option (Y)es, (N)o, (C)ancel (hitting Enter cancels): Yes

As you can see, it asks twice and I say yes twice each time. Same for the GUI. It appears that the trust relationship is not being remembered. Not sure what to check.

Possible Solution #1: Provide a server certificate that matches the server's hostname.

1条回答
时光不老,我们不散
2楼-- · 2019-05-24 10:55

That happens when you are using an url with the short name of the server ('myserver'),
while the certificate has been issued for the fqn (fully qualified name, like 'myserver.fr.com').

Or vice-versa.

That is why, when I create a (self-signed) certificate, I always mention the complete subjectAltName, with short name and the FQN, as in this openssl config file:

[ v3_ca ]
subjectAltName = DNS:@FQN@, DNS:@HOSTNAME@

That way, your certificate can match multiple hostnames.

查看更多
登录 后发表回答