为什么Plastic SCM不断询问我是否信任复制服务器的证书? [英] Why does Plastic SCM keep asking if I trust the replication server's certificate?

问题描述

每次我运行cm status之类的命令时，我都会收到以下提示:

I started getting the following prompt each time I run a command like cm status:

cs:630@rep:MyServer@repserver:ssl://<obfuscated>:8088

WARNING: the secure connection hostname provided in the server 
certificate doesn't match the server's hostname. This means that the 
certificate was not issued to this hostname or that there is a network 
configuration problem with this host.

- Certificate hostname: CN=ip-<obfuscated>
- Server hostname: CN=<obfuscated>

If you want to continue connecting to this host, choose 'Yes'. The certificate 
  validation will continue (not recommended).
If you want to abandon the connection, choose 'No' (recommended).

Choose an option (Y)es, (N)o (hitting Enter selects 'No'): Yes

The server you are connecting to has sent a certificate that is not in the 
store. This is normal if it is the first time that you connect to this server.

Certificate details: 
- Issued to: CN=ip-<obfuscated>
- Issued by: CN=ip-<obfuscated>
- Expiration date: 6/30/2023 6:15:40 AM
- Certificate hash: <obfuscated>

If you trust this host, choose 'Yes' to add the key to Plastic SCM's key store 
  (recommended if it is the first time you connect to this server).
If you want to carry on connecting just once, without adding the key to the 
  store, choose 'No'.

If you do not trust this host, choose 'Cancel' to abandon the connection.

Choose an option (Y)es, (N)o, (C)ancel (hitting Enter cancels): Yes

如您所见，它询问两次，每次询问两次.与GUI相同.似乎没有记住信任关系.不确定要检查什么.

As you can see, it asks twice and I say yes twice each time. Same for the GUI. It appears that the trust relationship is not being remembered. Not sure what to check.

可能的解决方案#1:提供与服务器主机名匹配的服务器证书.

Possible Solution #1: Provide a server certificate that matches the server's hostname.

推荐答案

当您使用带有服务器短名称('myserver')的url时，会发生这种情况，
已为fqn(完全限定的名称，如"myserver.fr.com")颁发了证书.

That happens when you are using an url with the short name of the server ('myserver'),
while the certificate has been issued for the fqn (fully qualified name, like 'myserver.fr.com').

反之亦然.

这就是为什么当我创建(自签名)证书时，我总是提到完整的subjectAltName，其中包含短名称和FQN，例如

That is why, when I create a (self-signed) certificate, I always mention the complete subjectAltName, with short name and the FQN, as in this openssl config file:

[ v3_ca ]
subjectAltName = DNS:@FQN@, DNS:@HOSTNAME@

这样，您的证书可以匹配多个主机名.

That way, your certificate can match multiple hostnames.

这篇关于为什么Plastic SCM不断询问我是否信任复制服务器的证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！