Registering system with SUSEConnect against SCC is failing with "subjectAltName does not match scc.suse.com"
This document (000020686) is provided subject to the disclaimer at the end of this document.
Environment
Situation
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=<country>; ST=<state>; L=<locality>; O=<organization>; OU=<organizational_unit>; CN=<*.some.non.suse.company.domain>
* start date: <date_and_time>
* expire date: <date_and_time>
* subjectAltName does not match scc.suse.com
* SSL: no alternative certificate subject name matches target host name 'scc.suse.com'
And the output of "curl -v https://scc.suse.com" also contains the above mentioned.
Furthermore, the "subjectAltName does not match scc.suse.com" certificate can be found nowhere in the verification chain.
Resolution
Check in the environment how to exempt a specific, to-be-registered SLES system (OR: scc.suse.com & updates.suse.com) from SSL/TLS inspection done by the local infrastructure.
Cause
Most probably, something (for example a proxy or a security solution) in the local infrastructure is doing SSL/TLS inspection, i.e. tampering with the HTTPS connection to scc.suse.com (and updates.suse.com).
It is possibly replacing the correct SUSE certificate and/or putting a non-SUSE certificate into the verification chain.
Additional Information
Correctly, "curl -v https://scc.suse.com" should show a SUSE certificate identical or similar to:
* subject: CN=*.suse.com
* start date: Jun 9 00:00:00 2022 GMT
* expire date: Jul 8 23:59:59 2023 GMT
* subjectAltName: host "scc.suse.com" matched cert's "*.suse.com"
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.
As of 4 July 2022, these are the correct certificates in the verification chain:
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = *.suse.com
verify return:1
Certificate chain
0 s:CN = *.suse.com
i:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
1 s:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
i:C = US, O = Amazon, CN = Amazon Root CA 1
2 s:C = US, O = Amazon, CN = Amazon Root CA 1
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
subject=CN = *.suse.com
issuer=C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
The command
would work correctly (show a reliable output) only on a system that does not have the "SUSEConnect-to-SCC registration" ("subjectAltName does not match scc.suse.com") issue.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000020686
- Creation Date: 29-Jun-2022
- Modified Date:19-Nov-2024
-
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
