XO configured with hostname, but getting 'Hostname/IP does not match certificate's altnames'

techjeff

I have my own internal Root CA from which I created an Intermediate CA. I use the Intermediate CA to create server and end user certificates as well as sign CSRs.

My master host is xcp-ng-1.mylocaldomain.local (stand-in domain name for this post) and its IP address is 10.0.10.11 and my other host is xcp-ng-2.mylocaldomain.local with IP address 10.0.10.12. Each host certificate has a subjectAltName corresponding to its respective FQDN, e.g. DNS:xcp-ng-1.mylocaldomain.local and DNS:xcp-ng-2.mylocaldomain.local.

I have verified that my XO host is receiving the correct IP addresses when I perform nslookup for xcp-ng-1 and xcp-ng-2 with or without the FQDN, which tells me that my DNS server is configured correctly.

Previously, I successfully replaced the default certificates for XAPI communication with certificates that were created using my internal CA, and configured the XO host to trust my internal Root CA by following the steps documented here: (https://xen-orchestra.com/docs/configuration.html#https). XO was able to connect to xcp-ng-1.mylocaldomain.local without enabling "Unauthorized Certificates" and all was well.

Today, I decided to update my XO (community edition built using https://github.com/ronivay/XenOrchestraInstallerUpdater). Because that update procedure replaces the /etc/systemd/system/xo-server.service I again followed the steps to tell XO to use the openssl CAs.

XO is configured only to connect using the hostname xcp-ng-1.mylocaldomain.local, but when I attempt to connect to my master host, I am getting the following error:

Hostname/IP does not match certificate's altnames: IP: 10.0.10.12 is not in the cert's list: 

As I noted earlier, 10.0.10.12 is the IP address of xcp-ng-2, rather than that of xcp-ng-1. I have confirmed that running nslookup xcp-ng-1.mylocaldomain.local from XO host returns 10.0.10.11 as expected, and running the same command for xcp-ng-2.mylocaldomain.local returns 10.0.10.12 as expected. So why does XO seem to be trying to connect to the IP address of a host that it isn't configured for?

I did previously had both xcp-ng-1 and xcp-ng-2 listed as servers because I had issues connecting after designating a new master to perform maintenance, but in an effort to simplify configuration to troubleshoot this issue, XO is now only configured to connect to xcp-ng-1.mylocaldomain.local.

It appears there is a discrepancy between what I have configured on the Settings > Servers page and what XO is using to connect.

Now, to test this theory, I'm wondering where XO stores its local configuration, such as which hosts it should connect to.

Does anyone know the file location for this?

--EDIT: a quick check of documentation shows the file is located here: /etc/xo-server/config.toml... However, the installer I'm using happens to store the config file here by default: /root/.config/xo-server/config.toml. Regardless, this is not where the server configuration is stored.. I'm guessing that information is stored in Redis?

I'm not sure what to troubleshoot, or whether there is a way to force an update of the server config. Can anyone provide some advice or insight?

techjeff

Well, apparently I had made xcp-ng-2 the master. When I ran xe pool-param-get uuid=... I saw that xcp-ng-2 was made the pool master.

Problem solved!

olivierlambert

Ah that makes sense now Thanks for the feedback, sorry for the lack of answer, I didn't spot the problem myself after a first read!