After upgrading OES 2015 SP1 or older OES versions to OES 2018 SP1 or later, during tier creation in CIS management console, the server option fails to list the OES server and displays an error, “Certificate is not valid for any names, but tried to match with <host>”. Because the eDirectory certificates in OES 2015 SP1 and older versions do not add DNS name in the Subject Alternative Name (SAN).
To view the certificate details, run the following command:
openssl x509 -in /etc/ssl/servercerts/servercert.pem -noout -text
The output:
X509v3 Subject Alternative Name: IP Address:192.168.2.33, DNS:blr-2-33.example.com
If the Subject Alternative Name (SAN) value does not display the IP Address and DNS entries, you must repair the eDirectory certificate.
To repair the eDirectory certificates on the upgraded CIS server:
Log in to iManager as Admin.
Go to Roles and Tasks > NetIQ Certificate Server > Repair Default Certificates.
Select the server(s) that own the certificates and click Next.
Choose the default certificate options and then click Next.
Select Yes All Default Certificates will be overwritten.
Select Create SSL CertificateIP and click the other option to specify the IP address you want to use.
Under Default DNS Address, click the other option to specify the DNS address you want to use.
Review the tasks to be performed and select Finish.
Restart eDirectory service.
Restart the following services:
CIS Agent: systemctl restart oes-cis-agent.service
Scanner: systemctl restart oes-cis-scanner.service
Recall Agent: systemctl restart oes-cis-recall-agent.service
For more information on repairing server certificates, see Micro Focus knowledge base article 7013080.