[ https://issues.apache.org/jira/browse/MESOS-4665?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15145306#comment-15145306 ]
Vinod Kone commented on MESOS-4665: ----------------------------------- Any comments here [~kaysoky] [~jvanremoortere] ? > Reverse DNS for cert validation ? > --------------------------------- > > Key: MESOS-4665 > URL: https://issues.apache.org/jira/browse/MESOS-4665 > Project: Mesos > Issue Type: Bug > Affects Versions: 0.26.0 > Reporter: pawan > > I have three mesos master nodes configured to use SSL and with cert > validation enabled. All the machines are failing cert-validation and hence > the peering with the following error: > ---------------------------- > I0212 14:02:22.019564 20544 network.hpp:463] ZooKeeper group PIDs: { > log-replica(1)@192.168.1.16:5050, log-replica(1)@192.168.1.27:5050, > log-replica(1)@192.168.1.30:5050 } > I0212 14:02:22.037328 20545 libevent_ssl_socket.cpp:973] Failed accept, > verification error: Presented Certificate Name: mesos01.p.qa.a.com does not > match peer hostname name: 192.168.1.16 > I0212 14:02:22.041191 20545 libevent_ssl_socket.cpp:973] Failed accept, > verification error: Presented Certificate Name: mesos02.p.qa.a.com does not > match peer hostname name: 192.168.1.27 > I0212 14:02:22.061522 20545 libevent_ssl_socket.cpp:973] Failed accept, > verification error: Presented Certificate Name: mesos01.p.qa.a.com does not > match peer hostname name: 192.168.1.16 > I0212 14:02:22.065572 20545 libevent_ssl_socket.cpp:373] Failed connect, > verification error: Presented Certificate Name: mesos01.p.qa.a.com does not > match peer hostname name: 192.168.1.16 > I0212 14:02:22.065839 20545 process.cpp:1281] Failed to link, connect: > Presented Certificate Name: mesos01.p.qa.a.com does not match peer hostname > name: 192.168.1.16 > E0212 14:02:22.065994 20545 process.cpp:1911] Failed to shutdown socket with > fd 27: Transport endpoint is not connected > I0212 14:02:22.068665 20545 libevent_ssl_socket.cpp:373] Failed connect, > verification error: Presented Certificate Name: mesos02.p.qa.a.com does not > match peer hostname name: 192.168.1.27 > I0212 14:02:22.068761 20545 process.cpp:1281] Failed to link, connect: > Presented Certificate Name: mesos02.p.qa.a.com does not match peer hostname > name: 192.168.1.27 > E0212 14:02:22.068830 20545 process.cpp:1911] Failed to shutdown socket with > fd 28: Transport endpoint is not connected > ---------------------------------- > From my understanding and looking at the source, during cert validation, > mesos uses getnameinfo call to get the hostname of the connecting peer using > the IP address on the socket connection. And this call would return the IP as > a string which is resulting in failures as our cert has a CN of only the peer > hostname. But, everything worked when I added host-ip mappings of all peers > to /etc/hosts on each host. > Does mesos inherently expect reverse DNS (PTR records) to be provisioned ? If > so, this is very challenging and unrealistic expectation. Even worse if you > are deploying mesos in a firewalled/NAT-ed environment. > Is my understanding right ? Am I missing anything here ? How would you > recommend me to proceed ? > Also, I use --hostname to set hostname of all mesos nodes and see the right > [ip, hostname] info in zookeeper node. Looks like mesos is not using it > during cert validation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)