I've just added a second management server to my setup, but I'm getting an SSL handshake error when the mgmt servers try to talk to each other on port 8250. My reading of the error suggests that the certificate has the IP of the mgmt server as an Alternative Name - the problem is here that we changed the IP of the old server at some point, but the old IP is not listed in Alternative Names.
Where is the certificate for the services on port 8250 stored, and how would I trigger this to be replaced? 2019-08-29 13:40:07,581 ERROR [c.c.u.n.Link] (AgentManager-SSLHandshakeHandler-1:null) (logid:) SSL error caught during wrap data: General SSLEngine problem, for local address=/10.221.50.10:8250, remote address=/10.225.1.2:58780. │ 2019-08-29 13:40:07,719 DEBUG [o.a.c.c.p.RootCACustomTrustManager] (pool-9-thread-1:null) (logid:) A client/agent attempting connection from address=10.225.1.2 has presented these certificate(s): │ Certificate [1] : │ Serial: 8fda4eed1f012bb4 │ Not Before:Tue Aug 27 23:28:14 BST 2019 │ Not After:Fri Aug 20 11:28:14 BST 2049 │ Signature Algorithm:SHA256withRSA │ Version:3 │ Subject DN:CN=CS-TESTLAB-01.xxxxx │ Issuer DN:CN=ca.cloudstack.apache.org │ Alternative Names:[[7, XX.XX.XX.XX], [7, fe80:0:0:0:215:5dff:fe01:b14], [2, CS-TESTLAB-01.xxxxx]] │ Certificate [2] : │ Serial: 4207227d2e1d5475 │ Not Before:Mon Feb 04 23:19:42 GMT 2019 │ Not After:Thu Jan 28 11:19:42 GMT 2049 │ Signature Algorithm:SHA256withRSA │ Version:3 │ Subject DN:CN=ca.cloudstack.apache.org │ Issuer DN:CN=ca.cloudstack.apache.org │ Alternative Names:null The old IP listed in Alternative Names is no longer valid, so I suspect I need to get this certificate regenerated. Regards, Richard
