When deploying Splunk AppDynamics on-premises, you will have access to the controller app server on ports:
| Name | Port | Description |
| Controller App Server (Primary) | 8090 | HTTP |
| Controller App Server (SSL) | 8181 | HTTPs |
However, when you open the controller in the browser on port 8181, you might get this error:
The error means that the CN and SAN values of the generated self-signed certificate (most probably the values are: localhost, for both) doesn't match your hostname you are using to open the controller page in the browser.
There are two options to solve this issue:
Option 1
Generate a new SSL certificate with CN and SAN same as the hostname of the server. You can check the documentation here at Secure the Platform > Controller SSL and Certificates on how to generate the new certificate.
Option 2
Disable the SNI Host Check on Jetty (Read more: jetty.ssl.sniHostCheck).
This solution is applicable for Enterprise Console >=23.11 where the Controller uses Jetty Application server instead of GlassFish.
This option involves changing the default value of sniHostCheck from true to false. And to do it, the steps are straightforward.
I assume you installed your Splunk AppDynamics controller instance on a Linux server/VM.
$ cd /opt/appdynamics/platform/product/controller/appserver/jetty/etc
$ cat jetty-ssl.xml
<?xml version="1.0"?><!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd">
<!-- ============================================================= -->
<!-- Base SSL configuration -->
<!-- This configuration needs to be used together with 1 or more -->
<!-- of jetty-https.xml or jetty-http2.xml -->
<!-- ============================================================= -->
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<!-- =========================================================== -->
<!-- Create a TLS specific HttpConfiguration based on the -->
<!-- common HttpConfiguration defined in jetty.xml -->
<!-- Add a SecureRequestCustomizer to extract certificate and -->
<!-- session information -->
<!-- =========================================================== -->
<New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
<Arg><Ref refid="httpConfig"/></Arg>
<Call name="addCustomizer">
<Arg>
<New class="org.eclipse.jetty.server.SecureRequestCustomizer">
<Arg name="sniRequired" type="boolean"><Property name="jetty.ssl.sniRequired" default="false"/></Arg>
<Arg name="sniHostCheck" type="boolean"><Property name="jetty.ssl.sniHostCheck" default="true"/></Arg>
<Arg name="stsMaxAgeSeconds" type="int"><Property name="jetty.ssl.stsMaxAgeSeconds" default="-1"/></Arg>
<Arg name="stsIncludeSubdomains" type="boolean"><Property name="jetty.ssl.stsIncludeSubdomains" default="false"/></Arg>
</New>
</Arg>
</Call>
</New>
</Configure>
As seen in the output of the jetty-ssl.xml file, the Property default value is "true".
<Arg name="sniHostCheck" type="boolean"><Property name="jetty.ssl.sniHostCheck" default="true"/></Arg>
And needs to be changed to "false"
<Arg name="sniHostCheck" type="boolean"><Property name="jetty.ssl.sniHostCheck" default="false"/></Arg>
You will need to do the same change in jetty-ssl.xml.j2 file as well.
Changing the SNI host check value to false bypasses the check of whether the certificate sent to the client matches the Host header.
Finally, restart the controller app server. After the restart is completed, you will be able to open your Splunk AppDynamics controller via HTTPs on port 8181.
Thanks,
Osama Abbas
