doc: Add note about certificate creation when using SSL

Signed-off-by: Sol Jerome <solj@ices.utexas.edu>

git-svn-id: https://svn.mcs.anl.gov/repos/bcfg/trunk/bcfg2@5670 ce84e21b-d406-0410-9b95-82705330c041

1 files changed, 17 insertions, 2 deletions

diff --git a/doc/authentication.txt b/doc/authentication.txt
index 2a72917a3..56cb7ce3e 100644
--- a/doc/authentication.txt
+++ b/doc/authentication.txt
@@ -77,8 +77,8 @@ per-client passwords set will not be able to connect.
 SSL Cert-based client authentication
 ====================================
 
-As of 1.0pre3, SSL-based client authentication is supported. This
-requires several things:
+SSL-based client authentication is supported. This requires several
+things:
 
 #. Certificate Authority (to sign all keys)
 
@@ -98,6 +98,21 @@ using the following set of steps:
 
    http://www.flatmtn.com/article/setting-ssl-certificates-apache
 
+   .. note::
+       The client CN must be the FQDN of the client (as returned by a
+       reverse DNS lookup of the ip address. Otherwise, you will end up
+       with an error message on the client that looks like::
+
+           Server failure: Protocol Error: 401 Unauthorized
+	   Failed to download probes from bcfg2
+	   Server Failure
+
+       on the client. You will also see an error message on the server
+       that looks something like::
+
+           cmssrv01 bcfg2-server[9785]: Got request for cmssrv115 from incorrect address 131.225.206.122
+           cmssrv01 bcfg2-server[9785]: Resolved to cmssrv115.fnal.gov
+
 #. Distribute the keys and certs to the appropriate locations
 
 #. Copy the ca cert to clients, so that the server can be authenticated