In our Cassandra cluster there is one - the same cert for each node - so for all Cassandra nodes it is one cert with CN: dma-cassandra.comp.local
And I got NoHostAvailableException when I enable TLS communication <TLSEnabled>true</TLSEnabled>
2023/02/01 13:18:57.410|SLDBConnection|CassandraConnection::Connect|ERR|0|1|Cassandra.NoHostAvailableException: All hosts tried for query failed (tried 10.44.222.171:9042: AuthenticationException 'The remote certificate is invalid according to the validation procedure.'; 10.44.222.172:9042: AuthenticationException 'The remote certificate is invalid according to the validation procedure.'; ...), see Errors property for more info
Can I use one cert with one CN for all DB nodes or each Cassandra node must have separate cert and its CN must always match the machine's hostname?
Could you please give me a hint regarding this?
====07.02.2023===== I added Wireshark screenshot
Hi,
I would recommend doing a WireShark capture between the DMA and the Cassandra nodes. From there you will see the certificate that the Cassandra node(s) are sending to DataMiner. Depending on what is configured in your certificate (e.g. alternative names etc.) your certificate will be valid or not. What is used by DataMiner (hostname or IP) should match what is in the certificate.
[EDIT] Example:
Hi Piotr,
I uploaded an example capture where you can see the certificates from the capture. This might help you to identify if the right certificates are used and what is in there.
Hi Michiel,
thx
at the end of the handshake I got reset
Client -> Server [Client Hello]
Client <- Server [Server Hello]
Client Server [ClientKeyExchange][ChangeCipherSpec]
Client <- Server [ChangeCipherSpec][Encrypted Handshake Message]
Client <- Server [RST, ACK]
I also tried to enable debug info on Cassandra
cassandra-env.sh
JVM_OPTS=”$JVM_OPTS -Djavax.net.debug=ssl”