Do not input private or sensitive data. View Qlik Privacy & Cookie Policy.
Skip to main content

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Qlik GA: Multivariate Time Series in Qlik Predict: Get Details
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
jjb427
Partner - Contributor III
Partner - Contributor III
‎2024-03-08 11:40 AM

"no alternative certificate subject name matches target host name" when using certificate to query QRS

Hi,

I'm encountering an issue while trying to securely connect to my Qlik Sense server hosted on an AWS EC2 instance from a remote machine using curl. I followed the steps provided in the Qlik documentation to export a set of certificates for this purpose.

The exported server.pem certificate correctly contains the public DNS of the EC2 instance as the Subject Common Name (CN). This aligns with my expectation to use the public DNS for remote connections.

However, when I attempt to establish a connection using curl with the specified certificates, I encounter SSL verification issues. To diagnose the problem, I used the openssl s_client command to inspect the SSL handshake and the certificate being presented by the server:

`openssl s_client -connect <public DNS>:4242 -servername <public DNS>`

Surprisingly, the output indicates that the server is presenting a certificate with the Subject CN set to the private DNS of the EC2 instance, rather than the public DNS specified in server.pem. This discrepancy leads to a "no alternative certificate subject name matches target host name" error from curl, as there's a mismatch between the host I'm connecting to and the CN in the presented certificate.

I'm trying to understand why there's a difference between the CN in the exported server.pem certificate and the CN in the certificate presented during the SSL handshake with the server. Is there a configuration within Qlik Sense that determines which certificate is presented for remote connections, or could this be related to the AWS setup?

Any insights or guidance on resolving this discrepancy would be greatly appreciated, as I aim to establish a secure connection using the public DNS of the EC2 instance.

Labels (3)
Labels
1,963 Views
1 Reply
Marc
Employee
Employee
‎2024-03-18 08:18 PM

When you export a set of certificates, it does not replace the certificates that are currently in use on the server. The name on the exported certificates identifies the external service that is connecting to the Qlik Environment. 

The Proxy Service, can be configured to present a custom certificate to end users on port 443 via the QMC but you cannot do the same for the service to service ports.

The ports used for service to service communication use the certificate generated when the node was Installed. The port you are trying to connect to is one of these Repository service  

The following should work.

#!/bin/bash
CERT=./client.pem
KEY=./client_key.pem
QServer=sensesrv.domain.tld
AuthUserDirectory=UserDirectory
AuthUser=UserID
XRFKey=12345678qwertyua
curl --insecure --cert $CERT --key $KEY -H "Content-type:application/json" -H "X-Qlik-Xrfkey:$XRFKey" -H "X-Qlik-User:UserDirectory=$AuthUserDirectory;UserId=$AuthUser" https://$QServer:4242/qrs/about/?xrfkey=$XRFKey


 

1,890 Views
0 Likes