Registering system with SUSEConnect against SCC is failing with "subjectAltName does not match scc.suse.com"

This document (000020686) is provided subject to the disclaimer at the end of this document.

Environment

All versions of SUSE Linux Enterprise

Situation

While running the "SUSEConnect" command to register a SLES system against the SCC (SUSE Customer Center), it is failing with the following being seen in its output:
 
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=<country>; ST=<state>; L=<locality>; O=<organization>; OU=<organizational_unit>; CN=<*.some.non.suse.company.domain>
*  start date: <date_and_time>
*  expire date: <date_and_time>
*  subjectAltName does not match scc.suse.com
* SSL: no alternative certificate subject name matches target host name 'scc.suse.com'

And the output of "curl -v https://scc.suse.com" also contains the above mentioned.

Furthermore, the "subjectAltName does not match scc.suse.com" certificate can be found nowhere in the verification chain.

Resolution

Please kindly check on your side how to exempt a specific, to-be-registered SLES system (OR: scc.suse.com & updates.suse.com) from SSL/TLS inspection done by your infrastructure.

Cause

Most probably, something (for example a proxy or a security solution) in your infrastructure is doing SSL/TLS inspection, i.e. tampering with the HTTPS connection to scc.suse.com (and updates.suse.com).

It is possibly replacing the correct SUSE certificate and/or putting a non-SUSE certificate into the verification chain.

Additional Information

Correctly, "curl -v https://scc.suse.com" should show a SUSE certificate identical or similar to:
 
* Server certificate:
*  subject: CN=*.suse.com
*  start date: Jun  9 00:00:00 2022 GMT
*  expire date: Jul  8 23:59:59 2023 GMT
*  subjectAltName: host "scc.suse.com" matched cert's "*.suse.com"
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify ok.

As of 4 July 2022, these are the correct certificates in the verification chain:
 
# openssl s_client -showcerts -connect scc.suse.com:443 | grep -e 'depth' -e 'verify return' -e 'CN = ' -e 'OU = ' -e 'Certificate chain'
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = *.suse.com
verify return:1
Certificate chain
 0 s:CN = *.suse.com
   i:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
 1 s:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
   i:C = US, O = Amazon, CN = Amazon Root CA 1
 2 s:C = US, O = Amazon, CN = Amazon Root CA 1
   i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
 3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
   i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
subject=CN = *.suse.com
issuer=C = US, O = Amazon, OU = Server CA 1B, CN = Amazon

The command
 
openssl s_client -showcerts -connect scc.suse.com:443 | grep -e 'depth' -e 'verify return' -e 'CN = ' -e 'OU = ' -e 'Certificate chain'

would work correctly (show a reliable output) only on a system that does not have the "SUSEConnect-to-SCC registration" ("subjectAltName does not match scc.suse.com") issue.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020686
  • Creation Date: 07-Jul-2022
  • Modified Date:08-Jul-2022
    • SUSE Linux Enterprise Server
    • SUSE Linux Enterprise Server for SAP Applications

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center