Insights Install fails with Error "Subject XXXX is Not Valid to be used for Hostname XXXX"

How to resolve when Insights install fails with error "subject XXXX is not valid to be used for hostname XXXX "?

Troubleshooting Steps: 

  1. Locate the domain certificate that is being used for the install. It should be in the Personal store for the certificates.
    • Open Manage Computer Certificates app, from Start->Run->type certlm.msc and OK
    • Go to the personal node and locate the certificate.
  2. Right click the certificate and select 'Open'. Go to the details tab. Locate that 'Thumbprint' property and copy it.
    • Also check the SAN (Subject Alternative Name) property and make sure that it has the desired hostname for the server. If it does not contain the hostname in the SAN entry then the wrong cert is being used. Talk to your network admin to get the correct certificate generated.
    • Alternatively, if the certificate does not have a SAN attribute, that means the certificate will not be automatically trusted by modern browsers. The recommendation at this point would be to regenerate the certificate with the SAN attribute and ensure that it contains the hostname in the SAN attribute.
  3. Open Notepad or Notepad++. Paste in the following command: 
    • (gci Cert:\LocalMachine\My\‎XXXXXXXXXX).GetNameInfo("DnsName", $false)
  4. Replace XXXXXXXXXX with the thumbprint. Ensure to remove any spaces. 
    • On Windows 2016 server, the thumbprint may have some special hidden characters. See removing the character
    • If this step is not done, the special character will show up as a '?' when executing the command that is being constructed. It can just be deleted.
  5. Execute the command from powershell: (gci Cert:\LocalMachine\My\‎XXXXXXXXXX).GetNameInfo("DnsName", $false)
  6. If it does not return the desired hostname, but the certificate is valid for the desired hostname, then this is the reason the installer is throwing an error. This bug currently affects 20.4.3-20.10.2 .
  7. Continue with the install, but on the Insights Server configuration page, select 'Create Self Signed Cert'.
  8. After the install, go through the section 'Changing the Insights Certificate'

Changing the Insights Certificate

  1. All the following steps should be done on the Insights Server.
  2. Important: The new certificate must support the original website hostname of Insights. Updating the website hostname for the insights site is a separate activity.
  3. Ensure that a PFX is available for the certificate. Also note that modern browsers required that a certificate have a SAN attribute that maps to the certificate subject name. This should be the certificate that was originally intended to be used by the Insights server.
  4. Once the PFX file is generated, import it into the personal store. 
    • See Installation of Self Signed Certificate
    • In the above step, instead of importing the certificate to trusted root, import it to the "Personal" Node.
    • Additionally, the password for the PFX will need to be entered to import the certificate.
  5. After importing the certificate into the personal node, right click the certificate and select 'Open'. Then go to the Details section and select 'Copy To File'.
    • When asked if the private keys should be exported, select 'No'.
    • When asked for the file type select 'Base-64 encoded X.509 (.CER).
  6. If the PFX file was generated via MMC, redo the above step, but export the private keys. Also the format will be pre-set.
  7. Once the .CER file and the PFX file have been generated go to http://localhost:3030
  8. On the webpage in the Update Certificate section, select 'browse'
  9. Select the PFX file and enter the password. When done, select 'Upload'
  10. After the upload is complete, the SSL certificate will need to be added. Open up the .CER file that was created in step 5. in notepad.
  11. Copy the contents exactly and paste it into the section 'SSL Certificate'
  12. After this is done, select 'Save'.
  13. After this is done, double click the .CER file and import it into Trusted Root. See Installation of Self Signed Certificate
    • Insights needs the Public Certificate to be in Trusted Root.
  14. Try going to https://InsightsURL - If it loads, then everything is complete.