Bringing together the Apache Cassandra experts from the community and DataStax.

Want to learn? Have a question? Want to share your expertise? You are in the right place!

Not sure where to begin? Getting Started

 

question

scano_183208 avatar image
scano_183208 asked ·

How do I configure the C# driver to use the correct client certificate?

When I attempt to connect to the Cassandra node with SSL via the c# driver I get a remote mismatch error. I noticed that the cluster always sends a specific cert. I went into the keystone and deleted the cert then added a new one. However, the server still seems to be sending the old cert even tho I removed it.

When I try to build the cluster, how can I ensure that the server sends the client the correct cert?

driversslc#
10 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

1 Answer

Erick Ramirez avatar image
Erick Ramirez answered ·

@scano_183208 It sounds like you have a configuration issue and you might not have deployed the certificates correctly. Depending on what the exact error message is, you might have an issue with (a) server auth or (b) client auth.

You might need to rebuild your certificate store with the correct certificate using certmgr.msc. Or you might need to reload it if you're loading the certificate in your code. For details, see the TLS/SSL document for the C# driver.

You might also be interested in examples for configuring one-way or two-way SSL in the C# driver on GitHub. Cheers!

3 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

Hi Erick,

Thank you again for your assistance!

I tried using the example code you provided before. This is how I know I keep getting a RemoteCertificateNameMismatch Which I believe is due to my addContactPoiny() method. I’m connecting with the IP address but the certificates CN is node1. I added a subjectAltName when I signed the node.csr with the rootCA and private key of DNS:node1, IP: x.x.x.x, then, imported the new cert into the keystore and removed the old cert. But it seems that the sever is still sending over the old cert.

Would you think that my theory is correct? If so should I remove the keystore and recreated?

0 Likes 0 · ·

I would definitely recreate the certificate and key/trust stores. If you missed just one step in the process, your configuration is completely invalid and won't work. Cheers!

0 Likes 0 · ·

RemoteCertificateNameMismatch usually happens when the ServerName does not match the name on the certificate. By default the driver performs DNS reverse resolution to obtain the ServerName but if you dont have this DNS setup then you need to provide a custom resolver:

Builder.WithSSL(new SSLOptions().SetHostNameResolver(...));

I've created CSHARP-881 to add some notes about this to the C# driver documentation.

2 Likes 2 · ·