Cluster domain cert issues

[TechTronicLLC]

I have two servers, dns1.domain.com and dns2.domain.com, both already configured for DoT and DoH with valid SSL certs. I created a cluster, and for the domain I entered filter.domain.com and then joined the second server to the cluster. The cluster nodes now appear as dns1.filter.domain.com and dns2.filter.domain.com. Everything seemed OK until I tested the Apps.

When clicking the Config button for any installed Apps on dns2, I get the error:

Error! The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch (dns1.filter.domain.com:53443)

I checked the logs on dns2, and found it full of errors:

Heartbeat failed for Primary node 'dns1.filter.domain.com (, )'.
System.Net.Http.HttpRequestException: The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch (dns1.filter.domain.com:53443)

Viewing the cluster settings page from dns1 shows the secondary node dns2 is connected; but viewing the cluster settings page from dns2 shows the primary node dns1 as unreachable.

These errors make sense given that the SSL certs are for dnsx.domain.com and not dnsx.filter.domain.com, but what's the solution to this? Is it not possible to use both valid publicly accessible certs for DoT and DoH and the cluster feature simultaneously?

[Hemsby]

You need to add ALT name as the cluster name on the cert.

[ShreyasZare]

Thanks for the post. The cluster feature uses DANE-EE for authenticating each node so the domain name in the certificate does not matter.

The issue you see here is due to the cluster secondary zone on your dns2 server has failed to sync records for some reason and thus there are no TLSA records required for DANE-EE authentication. So, just check the secondary zone and use the Resync option in there to trigger a zone transfer and see if it works.

If the zone transfer is failing, check the DNS logs on both the servers to find the errors related to the zone transfer. The error will give you clue on why its failing. Share any errors you see here or send them to support@technitium.com.

One the secondary zone is synced, the issue you see will go away.

[micush]

I just went through this. Make sure TCP and UDP ports 53 are open between the two cluster members, otherwise the cluster zone will fail to transfer between the two hosts. If running the server on linux, make sure to explicitly tell the server to listen on your IP address and that the port is seen as listening in the os.