问题
I started getting the following prompt each time I run a command like cm status:
cs:630@rep:MyServer@repserver:ssl://<obfuscated>:8088
WARNING: the secure connection hostname provided in the server
certificate doesn't match the server's hostname. This means that the
certificate was not issued to this hostname or that there is a network
configuration problem with this host.
- Certificate hostname: CN=ip-<obfuscated>
- Server hostname: CN=<obfuscated>
If you want to continue connecting to this host, choose 'Yes'. The certificate
validation will continue (not recommended).
If you want to abandon the connection, choose 'No' (recommended).
Choose an option (Y)es, (N)o (hitting Enter selects 'No'): Yes
The server you are connecting to has sent a certificate that is not in the
store. This is normal if it is the first time that you connect to this server.
Certificate details:
- Issued to: CN=ip-<obfuscated>
- Issued by: CN=ip-<obfuscated>
- Expiration date: 6/30/2023 6:15:40 AM
- Certificate hash: <obfuscated>
If you trust this host, choose 'Yes' to add the key to Plastic SCM's key store
(recommended if it is the first time you connect to this server).
If you want to carry on connecting just once, without adding the key to the
store, choose 'No'.
If you do not trust this host, choose 'Cancel' to abandon the connection.
Choose an option (Y)es, (N)o, (C)ancel (hitting Enter cancels): Yes
As you can see, it asks twice and I say yes twice each time. Same for the GUI. It appears that the trust relationship is not being remembered. Not sure what to check.
Possible Solution #1: Provide a server certificate that matches the server's hostname.
回答1:
That happens when you are using an url with the short name of the server ('myserver'),
while the certificate has been issued for the fqn (fully qualified name, like 'myserver.fr.com').
Or vice-versa.
That is why, when I create a (self-signed) certificate, I always mention the complete subjectAltName, with short name and the FQN, as in this openssl config file:
[ v3_ca ]
subjectAltName = DNS:@FQN@, DNS:@HOSTNAME@
That way, your certificate can match multiple hostnames.
来源:https://stackoverflow.com/questions/19283902/why-does-plastic-scm-keep-asking-if-i-trust-the-replication-servers-certificate