SSL certificate doesn't match

DSE troubleshooting for SSL certificate doesn't match error.

The Common Name (CN) that is used to generate the SSL certificate must match the DNS resolvable host name. Mismatches between the CN and node hostname cause an exception and the connection is refused. With dsetool and other tools that issue commands to the cluster, error messages indicate that the environment is not configured correctly. For example:

dsetool -h 10.236.136.55 reload_core keyspace_name.table_name deleteAll=true reindex=true distributed=false
...
javax.net.ssl.SSLException: Certificate for <node35.foo.com> doesn't match any of the subject alternative names: clustercert.foo.com
...

This message shows that 10.236.136.55 is being resolved to node35.foo.com, then node node35.foo.com is being asked for it's certificate which is a generic certificate issued with a CN of clustercert.foo.com. For security reasons, SSL verifies that node35.foo.com and clustercert.foo.com match. If they don't match, a certificate mismatch error occurs. Do not use a generic certificate across multiple nodes, because each node has a different name that won't match. Do not copy a certificate that is issued to node35.foo.com over to another node.

Nodes must be configured with correct names that match the certificate CN. You can use a wildcard in named certificates, like * in CN=*.foo.com, or any other matching mechanism allowed by SSL standards. All others configurations where names mismatch will result in an error.

When testing connections with other tools, enable them with secure settings. Avoid testing with insecure settings that do not require name matching. For example, curl --insecure. These insecure settings do not identify certificate mismatches and are not supported in DSE tools.