7.4. Using Hostname instead of FQDN

The most common error is to define a simple hostname instead of a valid FQDN during installation. This happens if no domain name has been set during the setup step Network Configuration (Domain name).

This leads to a variety of different problems.

The most important problem is that ASGARD Agents that install on endpoints will never be able to resolve and connect to the ASGARD server.

7.4.1. Errors that appear in these cases

Apr 23 12:07:12 debian10-dev/10.10.30.118 ASGARD_AGENT: Error:
could not run: rpc error: code = Unavailable desc = connection
error: desc = "transport: authentication handshake failed: x509:
certificate is valid for wrong-fqdn, not asgard.nextron.internal"

7.4.2. How to Fix a non-existing or wrong FQDN

The FQDN is set at installation time and is composed by the hostname and the domain name. The ASGARD Agents require a resolvable FQDN to correctly operate and connect to the ASGARD Server. One of the processes which are executed at installation time include the integration of the FQDN - which should be set during installation - into the ASGARD agents. If we incorrectly set the FQDN or leave any of those values empty, the agents will fail to connect to ASGARD.

With this fix we will set a new FQDN for the ASGARD Management Center, recreate the internal certificates, and rebuild the agents.

Warning

The used FQDN in this manual is just an example. Please use the FQDN of your domain. make sure the FQDN is resolvable via your DNS server.

7.4.2.1. Set a valid FQDN

To set a valid FQDN for your ASGARD Management Center server, follow the steps below. We are assuming that your local DNS server already has an A-Record assigned, so your clients can resolve the new hostname/FQDN of your ASGARD Management Center.

Connect via SSH to the ASGARD Management Center:

user@somehost:~$ ssh nextron@asgard-mc.example.org

Edit the hosts file. Please be careful with the changes in this file, as this might make your system unusable!

nextron@asgard-mc:~$ sudoedit /etc/hosts
[sudo] password for nextron:

You need to change the following line (do not change the IP-Address!):

1127.0.0.1       localhost
2172.16.0.20     asgard-mc
3
4# The following lines are desirable for IPv6 capable hosts
5::1     localhost ip6-localhost ip6-loopback
6ff02::1 ip6-allnodes
7ff02::2 ip6-allrouters

To this (values are examples, please change accordingly!)

1127.0.0.1       localhost
2172.16.0.20     asgard-mc.example.org asgard-mc
3
4# The following lines are desirable for IPv6 capable hosts
5::1     localhost ip6-localhost ip6-loopback
6ff02::1 ip6-allnodes
7ff02::2 ip6-allrouters

Note

If you did not set a static IP-Address for your ASGARD Management Center server, your IP-Address in the second line of the file might be 127.0.1.1. This is due to your server using DHCP. It is advised that you are using a static IP-Address. To change this, please see Changing the IP-Address.

You can verify if the changes worked. Run the following commands and see the difference in the output:

nextron@asgard-mc:~$ hostname --fqdn
asgard-mc.example.org
nextron@asgard-mc:~$ hostname
asgard-mc

If the first command shows the FQDN and the second one the hostname without domain, your changes were set up correctly and you can continue to the next step.

7.4.2.2. Recreate the TLS Certificate

We need to recreate the TLS certificate to make the Agent to ASGARD communication possible again. Create a new file which will contain the script with the fix. In this example we'll use nano as the text editor. Make sure that the system has a valid FQDN.

nextron@asgard-mc:~$ nano fix-fqdn.sh

Insert the following content into the text editor:

1#!/bin/bash
2export FQDN=$(hostname --fqdn)
3
4sed "s/\$FQDN/${FQDN}/" /etc/asgard-management-center/server_cert_ext.cnf.in > /etc/asgard-management-center/server_cert_ext.cnf
5openssl req -new -nodes -subj "/O=Nextron Systems GmbH/CN=${FQDN}" -key /etc/asgard-management-center/client-service.key -out /etc/asgard-management-center/client-service.csr
6openssl x509 -req -in /etc/asgard-management-center/client-service.csr -CA /etc/asgard-management-center/ca.pem -CAkey /etc/asgard-management-center/ca.key -CAcreateserial -days 36500 -out /etc/asgard-management-center/client-service.pem -extfile /etc/asgard-management-center/server_cert_ext.cnf
7systemctl restart asgard-management-center.service
8asgard-agent-repacker -host $FQDN

After changing the variables to the desired values, save the file. In nano this can be done in by pressing CTRL + X and confirming the changes with y.

Give the created script execution permissions and execute it:

nextron@asgard-mc:~$ chmod +x fix-fqdn.sh
nextron@asgard-mc:~$ sudo ./fix-fqdn.sh

You should now be able to reach the ASGARD Server via the new FQDN. Navigate to https://<YOUR-FQDN>:8443, which reflects the FQDN we set earlier.

At this point you have to install the ASGARD agents on your endpoints again. Remember to review the network requirements section to ensure all needed ports are open to the ASGARD Management Center from your endpoints. See Network Requirements